vidar | 20593dd40ac0559ee48756078596dc482d5c1ee417518988777e34c174c01d3c

Analysis

max time kernel
150s
max time network
159s
platform
windows10_x64
resource
win10v20210408
submitted
10-06-2021 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41CCF2991FAF22D76A6D0F1BC576676C.exe
Size

530KB
MD5

41ccf2991faf22d76a6d0f1bc576676c
SHA1

33a81d32c114e65434f2213ef78d78674d23c1dd
SHA256

20593dd40ac0559ee48756078596dc482d5c1ee417518988777e34c174c01d3c
SHA512

f955b48e761116ed2b18ed899bbe201f8327c08ad0f911852be0688d16b37798eba3202a1e89cec5ad0015fdbee9c8a3f387fe1ac6a37d136ed5b2b21f992699

Score

10^/10

vidar discovery evasion persistence stealer upx vmprotect

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

___________Food_C235_2427.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ___________Food_C235_2427.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	___________Food_C235_2427.exe

Executes dropped EXE 9 IoCs

Processes:

41CCF2991FAF22D76A6D0F1BC576676C.tmp___________Food_C235_2427.exeprolab.exeprolab.tmpSiqomesheda.exeLitunobegu.exe001.exeinstaller.exegaoou.exe

pid	process
3236	41CCF2991FAF22D76A6D0F1BC576676C.tmp
3340	___________Food_C235_2427.exe
2216	prolab.exe
1140	prolab.tmp
392	Siqomesheda.exe
2064	Litunobegu.exe
1144	001.exe
4636	installer.exe
804	gaoou.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5456-289-0x0000000001050000-0x00000000016AF000-memory.dmp	vmprotect
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	vmprotect
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Siqomesheda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Siqomesheda.exe

Loads dropped DLL 3 IoCs

Processes:

41CCF2991FAF22D76A6D0F1BC576676C.tmpinstaller.exe

pid process

3236 41CCF2991FAF22D76A6D0F1BC576676C.tmp
4636 installer.exe
4636 installer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gaoou.exe___________Food_C235_2427.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\SHamugavofa.exe\""	___________Food_C235_2427.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com
64 ipinfo.io
66 ipinfo.io
215 ip-api.com

flow	ioc
42	ip-api.com
64	ipinfo.io
66	ipinfo.io
215	ip-api.com

Drops file in Program Files directory 24 IoCs

Processes:

prolab.tmp___________Food_C235_2427.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-OMDA5.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-K4AHB.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-OB6QT.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-GOL8B.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-085TF.tmp	prolab.tmp
File created	C:\Program Files (x86)\Windows NT\SHamugavofa.exe	___________Food_C235_2427.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-48T1T.tmp	prolab.tmp
File created	C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe	___________Food_C235_2427.exe
File created	C:\Program Files (x86)\Windows NT\SHamugavofa.exe.config	___________Food_C235_2427.exe
File created	C:\Program Files (x86)\Picture Lab\is-HU75R.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-5Q584.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-ESPKU.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe.config	___________Food_C235_2427.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-8J266.tmp	prolab.tmp

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

7296 5156 WerFault.exe P9QPEmWAQLto.exe
7528 4016 WerFault.exe file4.exe
5616 5100 WerFault.exe rUNdlL32.eXe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6824 taskkill.exe
6816 taskkill.exe
7548 taskkill.exe
8340 taskkill.exe
6132 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	pid_target	process	target process
7296	5156	WerFault.exe	P9QPEmWAQLto.exe
7528	4016	WerFault.exe	file4.exe
5616	5100	WerFault.exe	rUNdlL32.eXe

pid	process
6824	taskkill.exe
6816	taskkill.exe
7548	taskkill.exe
8340	taskkill.exe
6132	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5bc8b2895d5ed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{39394B41-AFDC-44B2-B80C-06219808A523}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000009e4a5bb8e8b6c0f6305e3571aba498f3c61c1b9f7cd0beac4d61c21adbaa9b7527da53f953288fe8c8a921c632e12e9ca506663b11322371e7db18f5665c9d9cda66dfd1bba2d81596da0032ba14b25a87affdf97b0b5654efae	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

8696 PING.EXE
7932 PING.EXE
8356 PING.EXE

pid	process
8696	PING.EXE
7932	PING.EXE
8356	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

prolab.tmpLitunobegu.exe

pid	process
1140	prolab.tmp
1140	prolab.tmp
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe
2064	Litunobegu.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

___________Food_C235_2427.exeSiqomesheda.exeLitunobegu.exeMicrosoftEdge.exe

description	pid	process
Token: SeDebugPrivilege	3340	___________Food_C235_2427.exe
Token: SeDebugPrivilege	392	Siqomesheda.exe
Token: SeDebugPrivilege	2064	Litunobegu.exe
Token: SeDebugPrivilege	2608	MicrosoftEdge.exe
Token: SeDebugPrivilege	2608	MicrosoftEdge.exe
Token: SeDebugPrivilege	2608	MicrosoftEdge.exe
Token: SeDebugPrivilege	2608	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

prolab.tmpinstaller.exe

pid process

1140 prolab.tmp
4636 installer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2608 MicrosoftEdge.exe
4912 MicrosoftEdgeCP.exe

pid	process
2608	MicrosoftEdge.exe
4912	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

41CCF2991FAF22D76A6D0F1BC576676C.exe41CCF2991FAF22D76A6D0F1BC576676C.tmp___________Food_C235_2427.exeprolab.exeLitunobegu.execmd.execmd.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 3236	808	41CCF2991FAF22D76A6D0F1BC576676C.exe	41CCF2991FAF22D76A6D0F1BC576676C.tmp
PID 808 wrote to memory of 3236	808	41CCF2991FAF22D76A6D0F1BC576676C.exe	41CCF2991FAF22D76A6D0F1BC576676C.tmp
PID 808 wrote to memory of 3236	808	41CCF2991FAF22D76A6D0F1BC576676C.exe	41CCF2991FAF22D76A6D0F1BC576676C.tmp
PID 3236 wrote to memory of 3340	3236	41CCF2991FAF22D76A6D0F1BC576676C.tmp	___________Food_C235_2427.exe
PID 3236 wrote to memory of 3340	3236	41CCF2991FAF22D76A6D0F1BC576676C.tmp	___________Food_C235_2427.exe
PID 3340 wrote to memory of 2216	3340	___________Food_C235_2427.exe	prolab.exe
PID 3340 wrote to memory of 2216	3340	___________Food_C235_2427.exe	prolab.exe
PID 3340 wrote to memory of 2216	3340	___________Food_C235_2427.exe	prolab.exe
PID 2216 wrote to memory of 1140	2216	prolab.exe	prolab.tmp
PID 2216 wrote to memory of 1140	2216	prolab.exe	prolab.tmp
PID 2216 wrote to memory of 1140	2216	prolab.exe	prolab.tmp
PID 3340 wrote to memory of 392	3340	___________Food_C235_2427.exe	Siqomesheda.exe
PID 3340 wrote to memory of 392	3340	___________Food_C235_2427.exe	Siqomesheda.exe
PID 3340 wrote to memory of 2064	3340	___________Food_C235_2427.exe	Litunobegu.exe
PID 3340 wrote to memory of 2064	3340	___________Food_C235_2427.exe	Litunobegu.exe
PID 2064 wrote to memory of 4720	2064	Litunobegu.exe	cmd.exe
PID 2064 wrote to memory of 4720	2064	Litunobegu.exe	cmd.exe
PID 4720 wrote to memory of 1144	4720	cmd.exe	001.exe
PID 4720 wrote to memory of 1144	4720	cmd.exe	001.exe
PID 4720 wrote to memory of 1144	4720	cmd.exe	001.exe
PID 2064 wrote to memory of 4420	2064	Litunobegu.exe	cmd.exe
PID 2064 wrote to memory of 4420	2064	Litunobegu.exe	cmd.exe
PID 2064 wrote to memory of 4116	2064	Litunobegu.exe	cmd.exe
PID 2064 wrote to memory of 4116	2064	Litunobegu.exe	cmd.exe
PID 4116 wrote to memory of 4636	4116	cmd.exe	installer.exe
PID 4116 wrote to memory of 4636	4116	cmd.exe	installer.exe
PID 4116 wrote to memory of 4636	4116	cmd.exe	installer.exe
PID 2064 wrote to memory of 4984	2064	Litunobegu.exe	cmd.exe
PID 2064 wrote to memory of 4984	2064	Litunobegu.exe	cmd.exe
PID 4984 wrote to memory of 804	4984	cmd.exe	gaoou.exe
PID 4984 wrote to memory of 804	4984	cmd.exe	gaoou.exe
PID 4984 wrote to memory of 804	4984	cmd.exe	gaoou.exe

C:\Users\Admin\AppData\Local\Temp\41CCF2991FAF22D76A6D0F1BC576676C.exe
"C:\Users\Admin\AppData\Local\Temp\41CCF2991FAF22D76A6D0F1BC576676C.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\is-R9L9N.tmp\41CCF2991FAF22D76A6D0F1BC576676C.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R9L9N.tmp\41CCF2991FAF22D76A6D0F1BC576676C.tmp" /SL5="$2010E,258790,175104,C:\Users\Admin\AppData\Local\Temp\41CCF2991FAF22D76A6D0F1BC576676C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\is-8AJ55.tmp\___________Food_C235_2427.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8AJ55.tmp\___________Food_C235_2427.exe" /S /UID=lab213
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe
      "C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\is-NFRQI.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NFRQI.tmp\prolab.tmp" /SL5="$7006C,575243,216576,C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\75-4ed72-b0a-bdab5-0cb04bb06ae49\Siqomesheda.exe
      "C:\Users\Admin\AppData\Local\Temp\75-4ed72-b0a-bdab5-0cb04bb06ae49\Siqomesheda.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Litunobegu.exe
      "C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Litunobegu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\34jzbiam.hkn\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\34jzbiam.hkn\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\34jzbiam.hkn\001.exe
        6⤵
        Executes dropped EXE
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tzju5e2k.hvb\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:4420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4636
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1623114071 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wdskqvdp.hrc\gaoou.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\wdskqvdp.hrc\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdskqvdp.hrc\gaoou.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe /Verysilent /subid=623
        6⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\is-ILU35.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ILU35.tmp\Setup3310.tmp" /SL5="$302DC,138429,56832,C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe" /Verysilent /subid=623
        7⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:4792
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:7156
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        
        PID:5488
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\is-8GUPS.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8GUPS.tmp\lylal220.tmp" /SL5="$103DC,491750,408064,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\is-IAT4H.tmp\56FT____________________.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IAT4H.tmp\56FT____________________.exe" /S /UID=lylal220
        11⤵
        
        PID:5300
        
        C:\Program Files\VideoLAN\YPCUNCPGBR\irecord.exe
        
        "C:\Program Files\VideoLAN\YPCUNCPGBR\irecord.exe" /VERYSILENT
        12⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\is-3RAC6.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3RAC6.tmp\irecord.tmp" /SL5="$40436,6139911,56832,C:\Program Files\VideoLAN\YPCUNCPGBR\irecord.exe" /VERYSILENT
        13⤵
        
        PID:8052
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\52-55a19-cdc-deaaf-e48e2b79eb106\Raqamozhyto.exe
        
        "C:\Users\Admin\AppData\Local\Temp\52-55a19-cdc-deaaf-e48e2b79eb106\Raqamozhyto.exe"
        12⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\40-de606-580-bfb93-47293ede0ecb3\Lodeqaesabo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40-de606-580-bfb93-47293ede0ecb3\Lodeqaesabo.exe"
        12⤵
        
        PID:6428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sc1c0ufy.bmh\001.exe & exit
        13⤵
        
        PID:5124
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\is-4E38T.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4E38T.tmp\LabPicV3.tmp" /SL5="$4037E,506086,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\is-FRHBU.tmp\_____________.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FRHBU.tmp\_____________.exe" /S /UID=lab214
        11⤵
        
        PID:5168
        
        C:\Program Files\Uninstall Information\MUJUSYFHMW\prolab.exe
        
        "C:\Program Files\Uninstall Information\MUJUSYFHMW\prolab.exe" /VERYSILENT
        12⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\is-B8S48.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B8S48.tmp\prolab.tmp" /SL5="$10586,575243,216576,C:\Program Files\Uninstall Information\MUJUSYFHMW\prolab.exe" /VERYSILENT
        13⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\48-582d2-88a-8ee89-7a2246df793fe\Paelibolizhu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\48-582d2-88a-8ee89-7a2246df793fe\Paelibolizhu.exe"
        12⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\2c-8d7eb-692-c309a-5def6f27374b7\Monaejilisa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2c-8d7eb-692-c309a-5def6f27374b7\Monaejilisa.exe"
        12⤵
        
        PID:7288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rpkmuosq.2w3\001.exe & exit
        13⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\rpkmuosq.2w3\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\rpkmuosq.2w3\001.exe
        14⤵
        
        PID:8608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o1zx3x5g.iaq\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:8456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x0vxzfb4.u1d\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:8760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q305uekp.g5i\gaoou.exe & exit
        13⤵
        
        PID:8280
        
        C:\Program Files (x86)\Data Finder\Versium Research\Cube_WW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\Cube_WW.exe"
        9⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\VinDiesel.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\VinDiesel.exe
        10⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Vlcplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Vlcplayer.exe
        10⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Starne.vssm
        11⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd
        12⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^xOPnRHccwLlqXLcXNbyVTewvYBNUOQNrBSTCQBDisCMXHQdfMnqcbQQsNaAfTAGlYuntRSikUYDddrOilnofQsGKeCObwhhQVBYBaknTsPBmhmwJEzycasxGmNeftJpG$" Cercando.vssm
        13⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distinte.exe.com
        
        Distinte.exe.com q
        13⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distinte.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distinte.exe.com q
        14⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distinte.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Distinte.exe.com q
        15⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        13⤵
        Runs ping.exe
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Lovebirds_2021-06-10_19-23.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Lovebirds_2021-06-10_19-23.exe
        10⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\hBKKvc5PYJSJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\hBKKvc5PYJSJ.exe
        10⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\hBKKvc5PYJSJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\hBKKvc5PYJSJ.exe
        11⤵
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\crisat.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\crisat.exe
        10⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\3jf7Vn0yW07E.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\3jf7Vn0yW07E.exe
        10⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\3jf7Vn0yW07E.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\3jf7Vn0yW07E.exe
        11⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\UnpackChrome.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\UnpackChrome.exe
        10⤵
        
        PID:5408
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        11⤵
        
        PID:4848
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        12⤵
        
        PID:5296
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5296.0.923002315\1799765673" -parentBuildID 20200403170909 -prefsHandle 1424 -prefMapHandle 1416 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5296 "\\.\pipe\gecko-crash-server-pipe.5296" 1504 gpu
        13⤵
        
        PID:6688
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5296.3.1169001457\2123341770" -childID 1 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5296 "\\.\pipe\gecko-crash-server-pipe.5296" 5600 tab
        13⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\app.exe
        10⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\ner.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\ner.exe
        10⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\VCBuilds\ner.exe" & exit
        11⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\10_6_r_net.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\10_6_r_net.exe
        10⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
        11⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Setup2.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\Setup2.exe
        10⤵
        
        PID:5140
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        11⤵
        
        PID:4416
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        12⤵
        
        PID:6064
        
        C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        11⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2696
        12⤵
        Program crash
        
        PID:7528
        
        C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
        11⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\jingzhang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jingzhang.exe" end
        12⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\setup_2.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\setup_2.exe
        10⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\jooyu.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\jooyu.exe
        10⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\2_5337105938887217200.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\2_5337105938887217200.exe
        10⤵
        
        PID:5232
        
        C:\Program Files (x86)\Browzar\P9QPEmWAQLto.exe
        
        "C:\Program Files (x86)\Browzar\P9QPEmWAQLto.exe"
        11⤵
        
        PID:5144
        
        C:\Program Files (x86)\Browzar\P9QPEmWAQLto.exe
        
        "C:\Program Files (x86)\Browzar\P9QPEmWAQLto.exe"
        12⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 24
        13⤵
        Program crash
        
        PID:7296
        
        C:\Program Files (x86)\Browzar\Browzar.exe
        
        "C:\Program Files (x86)\Browzar\Browzar.exe"
        11⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\app.exe
        10⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\VCBuilds\google-game.exe
        10⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
        11⤵
        
        PID:8036
        
        C:\Users\Admin\Documents\Setup2.exe
        
        C:\Users\Admin\Documents\Setup2.exe
        10⤵
        
        PID:4820
        
        C:\Users\Admin\Documents\app.exe
        
        C:\Users\Admin\Documents\app.exe
        10⤵
        
        PID:2952
        
        C:\Users\Admin\Documents\UnpackChrome.exe
        
        C:\Users\Admin\Documents\UnpackChrome.exe
        10⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 4228 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UnpackChrome.exe"
        11⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4228
        12⤵
        Kills process with taskkill
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 4228 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UnpackChrome.exe"
        11⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 4228
        12⤵
        Kills process with taskkill
        
        PID:6824
        
        C:\Users\Admin\Documents\3jf7Vn0yW07E.exe
        
        C:\Users\Admin\Documents\3jf7Vn0yW07E.exe
        10⤵
        
        PID:5712
        
        C:\Users\Admin\Documents\3jf7Vn0yW07E.exe
        
        C:\Users\Admin\Documents\3jf7Vn0yW07E.exe
        11⤵
        
        PID:7620
        
        C:\Users\Admin\Documents\Lovebirds_2021-06-10_19-23.exe
        
        C:\Users\Admin\Documents\Lovebirds_2021-06-10_19-23.exe
        10⤵
        
        PID:4768
        
        C:\Users\Admin\Documents\crisat.exe
        
        C:\Users\Admin\Documents\crisat.exe
        10⤵
        
        PID:1164
        
        C:\Users\Admin\Documents\app.exe
        
        C:\Users\Admin\Documents\app.exe
        10⤵
        
        PID:5520
        
        C:\Users\Admin\Documents\jooyu.exe
        
        C:\Users\Admin\Documents\jooyu.exe
        10⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:5220
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        10⤵
        
        PID:4432
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        11⤵
        
        PID:7460
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        
        C:\Users\Admin\Documents\hBKKvc5PYJSJ.exe
        11⤵
        
        PID:7452
        
        C:\Users\Admin\Documents\2_5337105938887217200.exe
        
        C:\Users\Admin\Documents\2_5337105938887217200.exe
        10⤵
        
        PID:4296
        
        C:\Users\Admin\Documents\setup_2.exe
        
        C:\Users\Admin\Documents\setup_2.exe
        10⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\setup_2.exe"
        11⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        12⤵
        Runs ping.exe
        
        PID:7932
        
        C:\Users\Admin\Documents\google-game.exe
        
        C:\Users\Admin\Documents\google-game.exe
        10⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
        11⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 616
        12⤵
        Program crash
        
        PID:5616
        
        C:\Users\Admin\Documents\10_6_r_net.exe
        
        C:\Users\Admin\Documents\10_6_r_net.exe
        10⤵
        
        PID:6196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
        11⤵
        
        PID:4224
        
        C:\Users\Admin\Documents\ner.exe
        
        C:\Users\Admin\Documents\ner.exe
        10⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ner.exe" /f & erase "C:\Users\Admin\Documents\ner.exe" & exit
        11⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:8340
        
        C:\Users\Admin\Documents\VinDiesel.exe
        
        C:\Users\Admin\Documents\VinDiesel.exe
        10⤵
        
        PID:6288
        
        C:\Users\Admin\Documents\Vlcplayer.exe
        
        C:\Users\Admin\Documents\Vlcplayer.exe
        10⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Starne.vssm
        11⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd
        12⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^xOPnRHccwLlqXLcXNbyVTewvYBNUOQNrBSTCQBDisCMXHQdfMnqcbQQsNaAfTAGlYuntRSikUYDddrOilnofQsGKeCObwhhQVBYBaknTsPBmhmwJEzycasxGmNeftJpG$" Cercando.vssm
        13⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Distinte.exe.com
        
        Distinte.exe.com q
        13⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Distinte.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Distinte.exe.com q
        14⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        13⤵
        Runs ping.exe
        
        PID:8696
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:5544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fsmpd1dx.5wk\google-game.exe & exit
        5⤵
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\fsmpd1dx.5wk\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\fsmpd1dx.5wk\google-game.exe
        6⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",get
        7⤵
        
        PID:5172
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\osjyiycq.4ay\005.exe & exit
        5⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\osjyiycq.4ay\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\osjyiycq.4ay\005.exe
        6⤵
        
        PID:96
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o1pe3xaw.41j\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:4744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s2rkboxn.c10\702564a0.exe & exit
        5⤵
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\s2rkboxn.c10\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\s2rkboxn.c10\702564a0.exe
        6⤵
        
        PID:6768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5399AC026C31D66ACB901FD403042F32 C
  2⤵
  PID:4392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 293FB1AA5F39513AF82FF7C775414704
  2⤵
  PID:5508
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:7136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Data Finder\Versium Research\Cube_WW.exe

MD5
8e1c70470fa769428ae7032d1fa2d47b

SHA1
69de9efb4ef42c0e0379c57c91c52103a86caaba

SHA256
40f5b88b5df92fe56723ff58ab5d46b27bc994b2f59ee50a81509bca078bd3a6

SHA512
f3f36c7e72eca5c2a54c62b9bb6fd59cc63da65c783e8e1631852302f1c057bb7328f419182a64f180a14c633361b9d5ebba2e6ade7f9ecb7b29908514a37295

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

MD5
c4d8a9478b65d80ffde098ab61ff028e

SHA1
d5b53a3d21311e5a45bbf752e4e481887ad7f38c

SHA256
1d3b355e35b6edda7afae1d56dfe83c3aa3e3848263d08e8f1e9e65090457a48

SHA512
00a83e967723377066b9641e06dc311e5e546c57c4756de37c1b83f22dbdc74f56f21d299b7f811e77821e1f8abd724bd65575cea97e0acb6686ecc419b92504

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

MD5
aae3164438b0bb23c3ebba50ac6a0855

SHA1
d84149c1a2df033250f30b64ab6a76694d1c9006

SHA256
f65b69e816308bba915741f2f07ee8548612c2bd84d4ebf8aa5cd6ea2081e551

SHA512
5a86ef621a0a3e277e651f5d8805e630576868d9f7b1f52be994be983e1c6db79d1dc5293b88a616c7247c092da5d20dff12a6b2ec445c9faec8d84ff229ac5f

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

MD5
aae3164438b0bb23c3ebba50ac6a0855

SHA1
d84149c1a2df033250f30b64ab6a76694d1c9006

SHA256
f65b69e816308bba915741f2f07ee8548612c2bd84d4ebf8aa5cd6ea2081e551

SHA512
5a86ef621a0a3e277e651f5d8805e630576868d9f7b1f52be994be983e1c6db79d1dc5293b88a616c7247c092da5d20dff12a6b2ec445c9faec8d84ff229ac5f

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

MD5
a30bdf843d0961c11e78fed101764f74

SHA1
0c421c3d2d007a09b9b968ac485464844fa8ca9d

SHA256
2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219

SHA512
fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

MD5
6bd341bfca324b52dfa4f696c7978025

SHA1
09029b634ff31a7e2cc903f2e1580bc6f554558d

SHA256
faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

SHA512
d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

MD5
6bd341bfca324b52dfa4f696c7978025

SHA1
09029b634ff31a7e2cc903f2e1580bc6f554558d

SHA256
faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6

SHA512
d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

MD5
4d4ca1d5c59e0f86cd10113734fbca0a

SHA1
abeef06f9fb5dc7497a1db7713b6105980db7c42

SHA256
dfab174a9d81d02668a3aed6378e51c78d5b2f24a9a49d5d15baae4a3a7069b8

SHA512
3a21c43a82f5d05ef27f22d9f4c89bff3d8ecf3380c1e177775c0bddf9a3ed27423f0fb9beeef1856013c5c38bc5aa525d5a206c7384d440b56247d9cc5f5bd8

Download Submit
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

MD5
4d4ca1d5c59e0f86cd10113734fbca0a

SHA1
abeef06f9fb5dc7497a1db7713b6105980db7c42

SHA256
dfab174a9d81d02668a3aed6378e51c78d5b2f24a9a49d5d15baae4a3a7069b8

SHA512
3a21c43a82f5d05ef27f22d9f4c89bff3d8ecf3380c1e177775c0bddf9a3ed27423f0fb9beeef1856013c5c38bc5aa525d5a206c7384d440b56247d9cc5f5bd8

Download Submit
C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe

MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Program Files\Windows Mail\PNHMVBRAUR\prolab.exe

MD5
7233b5ee012fa5b15872a17cec85c893

SHA1
1cddbafd69e119ec5ab5c489420d4c74a523157b

SHA256
46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628

SHA512
716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5
cc82bd6c900346da8968142d88d4d6c1

SHA1
ac3a9251f36b5976761ac60039f8ab88491a1d3e

SHA256
ca53f97a6a6b43386166f10ba1795875aa21eebb3abdadf96c79e2beb77909e9

SHA512
1db120f05409d191898667305dbccc502a7cace1854c65c7ab63528376d7d98291d31dfb52ad6138dd593e01a14553d4903f8ecdb2aae3dfa68e128677335048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B

MD5
714c686eb09317787ab416bb31374b99

SHA1
f93be68a3e7c18c6931abf739d2c1305da1386f1

SHA256
6bd804a1f5020fdc4420b8198fd2ddcc289d5a07124a7c5b2a71e1cb7ead03a3

SHA512
110dbd59c0d6117914fde859aa89d94cf0d7a8c44a914fb4361d7c0e35950706bf56347c0e5a5a381e5a847dca68ac528acdbdeba7e76a1a14a5207027f3e6c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5
b948c92f6b1f747d7beca932718e34e6

SHA1
e5aaf4b92ff05ea7d30a09c4006976393a1556a0

SHA256
c14ed45260f70a79968330bb2c4917417ae96ec98a4d93bfd667806e4246c039

SHA512
a86c220eb20ac3ead261e584ee04ddae74b264afc36a066d84cf2a9b75f4c7fc1cc12353a94364e9a4c2cddfbbe88e7517d1138b2d9bd04fc2186ac82d62f8a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B

MD5
602daa793715d5466a9b404bf320a5ad

SHA1
5cff75882a33e13f273d647a90d7e324d5b030f8

SHA256
8ad7c5652ed39da40175be8ea5a712226422efd59828c91de49739cf64c1ed8b

SHA512
017635282e52178c511ded6aaa2a20ffac224f2198a1d75d104ef1108286a8107ad840e9c4e5ec419c93286c34c24dbf29600ac9e6ea97b7aff82e5e526fd1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\34jzbiam.hkn\001.exe

MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\34jzbiam.hkn\001.exe

MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\75-4ed72-b0a-bdab5-0cb04bb06ae49\Siqomesheda.exe

MD5
ba164765e442ec1933fd41743ca65773

SHA1
92c1ac3c88b87095c013f9e123dcaf38baa7fbd0

SHA256
97409c125b1798a20a5d590a8bd1564bd7e98cfffa89503349358d0374f2cf6c

SHA512
55291f35833dd512c912ca949f116815fb1266966eb4b36cdec063373e59c6ca4b5b67531ec59c9d56e08e69d0ac6f93f0ab3eb1d1efea0eb071c19664f7335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\75-4ed72-b0a-bdab5-0cb04bb06ae49\Siqomesheda.exe

MD5
ba164765e442ec1933fd41743ca65773

SHA1
92c1ac3c88b87095c013f9e123dcaf38baa7fbd0

SHA256
97409c125b1798a20a5d590a8bd1564bd7e98cfffa89503349358d0374f2cf6c

SHA512
55291f35833dd512c912ca949f116815fb1266966eb4b36cdec063373e59c6ca4b5b67531ec59c9d56e08e69d0ac6f93f0ab3eb1d1efea0eb071c19664f7335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\75-4ed72-b0a-bdab5-0cb04bb06ae49\Siqomesheda.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE2C6.tmp

MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE661.tmp

MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Kenessey.txt

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Litunobegu.exe

MD5
e562537ffa42ee7a99715a84b18adfa6

SHA1
56b36693203dc6011e8e9bda6999b2fd914908bc

SHA256
435f79f0093c6cc640a117f40a06c3adf3c0cc26607220882c7a0078d242cd5c

SHA512
025e4c6a950a83c5d29a88ee47a110e0df1fed19cd711c287d2198bda0f39fbb6b5ff72d083face5313dfd550ac3257025402cc3737ed0fda40a86c5f9670cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Litunobegu.exe

MD5
e562537ffa42ee7a99715a84b18adfa6

SHA1
56b36693203dc6011e8e9bda6999b2fd914908bc

SHA256
435f79f0093c6cc640a117f40a06c3adf3c0cc26607220882c7a0078d242cd5c

SHA512
025e4c6a950a83c5d29a88ee47a110e0df1fed19cd711c287d2198bda0f39fbb6b5ff72d083face5313dfd550ac3257025402cc3737ed0fda40a86c5f9670cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4-b87ca-270-8e69e-8bcb7953eaeb0\Litunobegu.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsmpd1dx.5wk\google-game.exe

MD5
40e13b1afe815e020b1dfd214e958e7d

SHA1
f1fdbc5c9808d39d9b99f5c7db34a56986bfc381

SHA256
e7ceafc49003d4360dc115b6787417ca49c9d824ddb5485d7cf24dd05583b4cb

SHA512
a354c2d0c1f9388a7e1d50029945919779624dfcf338589a934e47f537aefc0457a21f39a252a43463ec6bd174230c970f9ac6e83830a435439d7c8960c84ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsmpd1dx.5wk\google-game.exe

MD5
40e13b1afe815e020b1dfd214e958e7d

SHA1
f1fdbc5c9808d39d9b99f5c7db34a56986bfc381

SHA256
e7ceafc49003d4360dc115b6787417ca49c9d824ddb5485d7cf24dd05583b4cb

SHA512
a354c2d0c1f9388a7e1d50029945919779624dfcf338589a934e47f537aefc0457a21f39a252a43463ec6bd174230c970f9ac6e83830a435439d7c8960c84ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe

MD5
2c663b3f330f2adfda4339c8990f53c2

SHA1
6ad1c96ac41546be9c8dc7e9135ce461bc4af668

SHA256
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33

SHA512
2b2e8988c56f594658e352b625841cb9ac152483ddc604a42e77e8e6151541fb50b446b25d6861f3975572b461cf5369e349918a638f0cb1acdc24acc2120e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxdthezc.5rr\Setup3310.exe

MD5
2c663b3f330f2adfda4339c8990f53c2

SHA1
6ad1c96ac41546be9c8dc7e9135ce461bc4af668

SHA256
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33

SHA512
2b2e8988c56f594658e352b625841cb9ac152483ddc604a42e77e8e6151541fb50b446b25d6861f3975572b461cf5369e349918a638f0cb1acdc24acc2120e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dat

MD5
7182a2bb097d28317d0ee381d885bb43

SHA1
c4d386371725257e17ff324e9843752b87a3f06a

SHA256
93af93054c2b03459e05fa7afc3f8cc465b72979c90009d24604d25457aec91f

SHA512
c39b2fa81c571fe0ccab1cb0a5be365300a66ed6eb4f360c09e61ec65655e0ba42e4411958c9c64c0db2cdebf2fca4ac67b3c5927007f4177d065125e8eacebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll

MD5
428557b1005fd154585af2e3c721e402

SHA1
3fc4303735f8355f787f3181d69450423627b5c9

SHA256
1bb1e726362311c789fdfd464f12e72c279fb3ad639d27338171d16e73360e7c

SHA512
2948fbb5d61fa7b3ca5d38a1b9fa82c453a073bddd2a378732da9c0bff9a9c3887a09f38001f0d5326a19cc7929dbb7b9b49707288db823e6af0db75411bc35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8AJ55.tmp\___________Food_C235_2427.exe

MD5
23c3e480318751d3ae8ae72be0974cd3

SHA1
6be7a71037f41a9227b6f90ae30b8e90fe310b72

SHA256
b3211a671a5965b6d7a6ade6f41febfcb2555f14f09447d6885ba25a7a4c66da

SHA512
980726328b333b1f0f5508841829477fad984ac08daeef3b42f9ecbfb34b320cccb4a22e833f76e93f3dc78da9c2711aad063ec8dee25c5a1094eb4b41bd1644

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8AJ55.tmp\___________Food_C235_2427.exe

MD5
23c3e480318751d3ae8ae72be0974cd3

SHA1
6be7a71037f41a9227b6f90ae30b8e90fe310b72

SHA256
b3211a671a5965b6d7a6ade6f41febfcb2555f14f09447d6885ba25a7a4c66da

SHA512
980726328b333b1f0f5508841829477fad984ac08daeef3b42f9ecbfb34b320cccb4a22e833f76e93f3dc78da9c2711aad063ec8dee25c5a1094eb4b41bd1644

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ILU35.tmp\Setup3310.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NFRQI.tmp\prolab.tmp

MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NFRQI.tmp\prolab.tmp

MD5
47006dae5dde9f202bd32aec59100cc7

SHA1
bee5cf5cedd4d8c7aa4795285470f9745da857ef

SHA256
ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f

SHA512
3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R9L9N.tmp\41CCF2991FAF22D76A6D0F1BC576676C.tmp

MD5
e5bf2eaf6dfc2cac432155fbd5b23fb2

SHA1
4660eb095a2402de7733067b6fcbb543eb807334

SHA256
886e130bde0b7d08eae265b014e22e33bc826e18b02c2c4eda60414df82bbe02

SHA512
7b807bf3630c1c05c7dda7c622cf202b8be67460c02d038fdf1d4b750b96605d4b2922b8a72f5dd2f9e53a2586d2e223c1e5eb75880972fd94e32d868839e93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\Setup.exe

MD5
39a51cd76c6be80e454eaa1d9df76db2

SHA1
746d3078572618607277c27421ba6efc368801b4

SHA256
f978d5f22b62bc0266149e405e5c7a14b4f0e902fb36d611558230843764a7da

SHA512
294d6c4049798cc1462869e8817b6519fab0de81ffe5bfa639c6e41aefc725507e9e5b51852fb713d5cc42b6b4157d63644b79a96178f097f17b09e3f247ec2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\Setup.exe

MD5
39a51cd76c6be80e454eaa1d9df76db2

SHA1
746d3078572618607277c27421ba6efc368801b4

SHA256
f978d5f22b62bc0266149e405e5c7a14b4f0e902fb36d611558230843764a7da

SHA512
294d6c4049798cc1462869e8817b6519fab0de81ffe5bfa639c6e41aefc725507e9e5b51852fb713d5cc42b6b4157d63644b79a96178f097f17b09e3f247ec2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe

MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lonivytm.omz\installer.exe

MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1pe3xaw.41j\GcleanerWW.exe

MD5
4f4adcbf8c6f66dcfc8a3282ac2bf10a

SHA1
c35a9fc52bb556c79f8fa540df587a2bf465b940

SHA256
6b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b

SHA512
0d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\osjyiycq.4ay\005.exe

MD5
0422002ffd305cccc4e8ab7fc54fd02b

SHA1
c43215adba2626e1ca616c89b61ef2eeddb2a4c1

SHA256
8beb68608e34dd4a6e7158d753e9a760ba7b89c41bc2dbbb7eb70397e5af5b92

SHA512
063ef73deabc344926fd6ac5a1c0cb4952ecf422bf7da8e2190bb00763763b5bee4bd4cadb3f7beff8e0309824764ed3bee9370421e44b467f1ae549adedf739

Download Submit
C:\Users\Admin\AppData\Local\Temp\osjyiycq.4ay\005.exe

MD5
0422002ffd305cccc4e8ab7fc54fd02b

SHA1
c43215adba2626e1ca616c89b61ef2eeddb2a4c1

SHA256
8beb68608e34dd4a6e7158d753e9a760ba7b89c41bc2dbbb7eb70397e5af5b92

SHA512
063ef73deabc344926fd6ac5a1c0cb4952ecf422bf7da8e2190bb00763763b5bee4bd4cadb3f7beff8e0309824764ed3bee9370421e44b467f1ae549adedf739

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzju5e2k.hvb\GcleanerEU.exe

MD5
4f4adcbf8c6f66dcfc8a3282ac2bf10a

SHA1
c35a9fc52bb556c79f8fa540df587a2bf465b940

SHA256
6b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b

SHA512
0d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdskqvdp.hrc\gaoou.exe

MD5
981c541cb4dd9921a82c85286c23451d

SHA1
9cf1be9d49e998c16d0d33b85ac3ddac83d441ac

SHA256
fad987a365400592f66296ab1a99cd7b77786b6e30c74d217646e94e8d111f5d

SHA512
82e8a7f0afd45c5ff75413b2e3ff5f105917809bb1af46f76e4e12d88100fbec22226caccd9aa2ab436988e59e97f78c64b3101938f25a3f0ae54796bf584af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdskqvdp.hrc\gaoou.exe

MD5
981c541cb4dd9921a82c85286c23451d

SHA1
9cf1be9d49e998c16d0d33b85ac3ddac83d441ac

SHA256
fad987a365400592f66296ab1a99cd7b77786b6e30c74d217646e94e8d111f5d

SHA512
82e8a7f0afd45c5ff75413b2e3ff5f105917809bb1af46f76e4e12d88100fbec22226caccd9aa2ab436988e59e97f78c64b3101938f25a3f0ae54796bf584af4

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi

MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
\Users\Admin\AppData\Local\Temp\INAE1CA.tmp

MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE2C6.tmp

MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE661.tmp

MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\install.dll

MD5
428557b1005fd154585af2e3c721e402

SHA1
3fc4303735f8355f787f3181d69450423627b5c9

SHA256
1bb1e726362311c789fdfd464f12e72c279fb3ad639d27338171d16e73360e7c

SHA512
2948fbb5d61fa7b3ca5d38a1b9fa82c453a073bddd2a378732da9c0bff9a9c3887a09f38001f0d5326a19cc7929dbb7b9b49707288db823e6af0db75411bc35e

Download Submit
\Users\Admin\AppData\Local\Temp\is-8AJ55.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-UGUE5.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
memory/96-221-0x0000000000000000-mapping.dmp

Download
memory/96-234-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/96-237-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/336-317-0x0000023F01370000-0x0000023F013E1000-memory.dmp

Filesize
452KB

Download
memory/380-298-0x0000020FC7250000-0x0000020FC72C1000-memory.dmp

Filesize
452KB

Download
memory/392-129-0x0000000000000000-mapping.dmp

Download
memory/392-139-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/396-286-0x000001DB94B00000-0x000001DB94B71000-memory.dmp

Filesize
452KB

Download
memory/804-161-0x0000000000000000-mapping.dmp

Download
memory/808-114-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1076-285-0x0000027F4D970000-0x0000027F4D9E1000-memory.dmp

Filesize
452KB

Download
memory/1076-267-0x0000027F4CC10000-0x0000027F4CC5B000-memory.dmp

Filesize
300KB

Download
memory/1140-140-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1140-128-0x0000000000000000-mapping.dmp

Download
memory/1144-150-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1144-151-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1144-147-0x0000000000000000-mapping.dmp

Download
memory/1236-310-0x000001A26CBD0000-0x000001A26CC41000-memory.dmp

Filesize
452KB

Download
memory/1244-304-0x000001F3F3780000-0x000001F3F37F1000-memory.dmp

Filesize
452KB

Download
memory/1300-170-0x0000000000000000-mapping.dmp

Download
memory/1420-293-0x000001B7D7840000-0x000001B7D78B1000-memory.dmp

Filesize
452KB

Download
memory/1956-299-0x00000193178B0000-0x0000019317921000-memory.dmp

Filesize
452KB

Download
memory/2064-143-0x0000000001562000-0x0000000001564000-memory.dmp

Filesize
8KB

Download
memory/2064-144-0x0000000001564000-0x0000000001565000-memory.dmp

Filesize
4KB

Download
memory/2064-134-0x0000000000000000-mapping.dmp

Download
memory/2064-141-0x0000000001560000-0x0000000001562000-memory.dmp

Filesize
8KB

Download
memory/2216-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2216-124-0x0000000000000000-mapping.dmp

Download
memory/2320-363-0x0000000000000000-mapping.dmp

Download
memory/2720-309-0x0000012783000000-0x0000012783071000-memory.dmp

Filesize
452KB

Download
memory/2796-316-0x000002246ED40000-0x000002246EDB1000-memory.dmp

Filesize
452KB

Download
memory/2808-322-0x0000025A2D100000-0x0000025A2D171000-memory.dmp

Filesize
452KB

Download
memory/3236-115-0x0000000000000000-mapping.dmp

Download
memory/3236-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3340-123-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/3340-120-0x0000000000000000-mapping.dmp

Download
memory/4016-365-0x0000000000000000-mapping.dmp

Download
memory/4116-154-0x0000000000000000-mapping.dmp

Download
memory/4192-369-0x0000000000000000-mapping.dmp

Download
memory/4224-164-0x0000000000000000-mapping.dmp

Download
memory/4336-210-0x0000000000000000-mapping.dmp

Download
memory/4392-184-0x0000000000000000-mapping.dmp

Download
memory/4416-367-0x0000000000000000-mapping.dmp

Download
memory/4420-152-0x0000000000000000-mapping.dmp

Download
memory/4500-217-0x0000000000000000-mapping.dmp

Download
memory/4636-155-0x0000000000000000-mapping.dmp

Download
memory/4668-216-0x0000000000000000-mapping.dmp

Download
memory/4720-146-0x0000000000000000-mapping.dmp

Download
memory/4744-224-0x0000000000000000-mapping.dmp

Download
memory/4764-209-0x0000000000000000-mapping.dmp

Download
memory/4784-171-0x0000000000000000-mapping.dmp

Download
memory/4784-173-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4792-327-0x0000000000000000-mapping.dmp

Download
memory/4792-339-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4792-352-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4792-225-0x0000000000000000-mapping.dmp

Download
memory/4808-342-0x0000000000000000-mapping.dmp

Download
memory/4808-348-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/4944-196-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4944-195-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4944-187-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4944-189-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4944-188-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4944-175-0x0000000000000000-mapping.dmp

Download
memory/4944-179-0x0000000003960000-0x000000000399C000-memory.dmp

Filesize
240KB

Download
memory/4944-206-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4944-190-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4944-181-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4944-191-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4944-205-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4944-192-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4944-204-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4944-203-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4944-202-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4944-193-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4944-194-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4944-197-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4944-199-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4944-198-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4984-160-0x0000000000000000-mapping.dmp

Download
memory/5080-213-0x0000000000000000-mapping.dmp

Download
memory/5084-357-0x0000000000000000-mapping.dmp

Download
memory/5096-368-0x0000000000000000-mapping.dmp

Download
memory/5140-360-0x0000000000000000-mapping.dmp

Download
memory/5144-366-0x0000000000000000-mapping.dmp

Download
memory/5144-346-0x0000000000000000-mapping.dmp

Download
memory/5164-362-0x0000000000000000-mapping.dmp

Download
memory/5168-323-0x0000000000000000-mapping.dmp

Download
memory/5172-271-0x0000000004D80000-0x0000000004DDC000-memory.dmp

Filesize
368KB

Download
memory/5172-262-0x0000000004C45000-0x0000000004D46000-memory.dmp

Filesize
1.0MB

Download
memory/5172-233-0x0000000000000000-mapping.dmp

Download
memory/5232-359-0x0000000000000000-mapping.dmp

Download
memory/5264-311-0x000002741AA30000-0x000002741AAA1000-memory.dmp

Filesize
452KB

Download
memory/5264-241-0x00007FF6C6D54060-mapping.dmp

Download
memory/5300-325-0x0000000000000000-mapping.dmp

Download
memory/5364-358-0x0000000000000000-mapping.dmp

Download
memory/5368-324-0x0000000000000000-mapping.dmp

Download
memory/5408-355-0x0000000002500000-0x000000000250B000-memory.dmp

Filesize
44KB

Download
memory/5408-338-0x0000000002560000-0x000000000262F000-memory.dmp

Filesize
828KB

Download
memory/5408-351-0x0000000004B90000-0x0000000004C5D000-memory.dmp

Filesize
820KB

Download
memory/5408-326-0x0000000000000000-mapping.dmp

Download
memory/5408-343-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/5456-252-0x0000000000000000-mapping.dmp

Download
memory/5456-289-0x0000000001050000-0x00000000016AF000-memory.dmp

Filesize
6.4MB

Download
memory/5488-254-0x0000000000000000-mapping.dmp

Download
memory/5496-330-0x0000000000000000-mapping.dmp

Download
memory/5504-364-0x0000000000000000-mapping.dmp

Download
memory/5508-256-0x0000000000000000-mapping.dmp

Download
memory/5544-258-0x0000000000000000-mapping.dmp

Download
memory/5588-263-0x0000000000000000-mapping.dmp

Download
memory/5588-272-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5620-328-0x0000000000000000-mapping.dmp

Download
memory/5620-335-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/5620-356-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5636-268-0x0000000000000000-mapping.dmp

Download
memory/5636-277-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5688-273-0x0000000000000000-mapping.dmp

Download
memory/5696-340-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/5696-329-0x0000000000000000-mapping.dmp

Download
memory/5744-361-0x0000000000000000-mapping.dmp

Download
memory/5792-334-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/5792-332-0x0000000000000000-mapping.dmp

Download
memory/5800-292-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5800-281-0x0000000000000000-mapping.dmp

Download
memory/5824-331-0x0000000000000000-mapping.dmp

Download
memory/5828-284-0x0000000000000000-mapping.dmp

Download
memory/5984-341-0x0000000000000000-mapping.dmp

Download
memory/6132-333-0x0000000000000000-mapping.dmp

Download