blacknet | 6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf

Resubmissions

27/11/2022, 13:36

221127-qwjzlsbd92 10

27/11/2022, 12:53

221127-p4mj2ahd68 10

Analysis

max time kernel
289s
max time network
1521s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1732-89-0x0000000010560000-0x00000000105B1000-memory.exe
Size

324KB
MD5

502f23821a675b1eeef88072cd7539e9
SHA1

2b48a14d21a1184444f583234b7dbd5aa9f525b1
SHA256

6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf
SHA512

2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373
SSDEEP

6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx

Score

10^/10

blacknet darkcomet netwire bot guest16 botnet evasion persistence rat stealer trojan upx

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e6d8-144.dat	family_blacknet
behavioral1/files/0x000200000001e6d8-145.dat	family_blacknet

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3872-132-0x0000000000550000-0x00000000005A1000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
4392	ChromeRecovery.exe
1972	svshost.exe
1564	jusched.exe
4944	WinlockerBuilderv5.exe
4256	upx_compresser.exe
4664	upx_compresser.exe
4992	taskhost.exe
2880	taskhost.exe
2552	svshost.exe
4408	WinlockerBuilderv5.exe
4420	upx_compresser.exe
64	upx_compresser.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001e6ec-149.dat	upx
behavioral1/files/0x000400000001e6ec-148.dat	upx
behavioral1/memory/4944-153-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/files/0x000400000001e6ec-170.dat	upx
behavioral1/memory/4408-176-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4944-178-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4944-179-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4408-182-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4408-183-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upx_compresser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svshost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 4664	4256	upx_compresser.exe	155
PID 4992 set thread context of 2880	4992	taskhost.exe	158
PID 4420 set thread context of 64	4420	upx_compresser.exe	162

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\manifest.json	elevation_service.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
376	sc.exe
1312	sc.exe
4212	sc.exe
936	sc.exe
3356	sc.exe
3012	sc.exe
1372	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4412	3872	WerFault.exe	82
3228	5008	WerFault.exe	30

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates processes with tasklist 1 TTPs 33 IoCs

Process Discovery

T1057

pid	Process
4864	tasklist.exe
204	tasklist.exe
6012	tasklist.exe
3384	tasklist.exe
888	tasklist.exe
3456	tasklist.exe
4464	tasklist.exe
5400	tasklist.exe
3080	tasklist.exe
5520	tasklist.exe
3468	tasklist.exe
5996	tasklist.exe
3436	tasklist.exe
5344	tasklist.exe
5420	tasklist.exe
544	tasklist.exe
4656	tasklist.exe
5916	tasklist.exe
1548	tasklist.exe
4968	tasklist.exe
4348	tasklist.exe
1436	tasklist.exe
5364	tasklist.exe
5600	tasklist.exe
1288	tasklist.exe
1112	tasklist.exe
3044	tasklist.exe
4452	tasklist.exe
3232	tasklist.exe
1440	tasklist.exe
5492	tasklist.exe
432	tasklist.exe
1888	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4316	ipconfig.exe
4552	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4716	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	upx_compresser.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
3140	chrome.exe
3140	chrome.exe
4456	chrome.exe
4456	chrome.exe
4884	chrome.exe
4884	chrome.exe
1112	chrome.exe
1112	chrome.exe
1640	chrome.exe
1640	chrome.exe
3464	chrome.exe
3464	chrome.exe
2012	chrome.exe
2012	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
1860	chrome.exe
1860	chrome.exe
4796	chrome.exe
4796	chrome.exe
4544	chrome.exe
4544	chrome.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
944	taskmgr.exe
944	taskmgr.exe
4256	upx_compresser.exe
4256	upx_compresser.exe
1564	jusched.exe
944	taskmgr.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
1564	jusched.exe
4992	taskhost.exe
1564	jusched.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4256	upx_compresser.exe
4992	taskhost.exe
4420	upx_compresser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	WinlockerBuilderv5.exe
Token: SeDebugPrivilege	944	taskmgr.exe
Token: SeSystemProfilePrivilege	944	taskmgr.exe
Token: SeCreateGlobalPrivilege	944	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	4664	upx_compresser.exe
Token: SeSecurityPrivilege	4664	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	4664	upx_compresser.exe
Token: SeLoadDriverPrivilege	4664	upx_compresser.exe
Token: SeSystemProfilePrivilege	4664	upx_compresser.exe
Token: SeSystemtimePrivilege	4664	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	4664	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	4664	upx_compresser.exe
Token: SeCreatePagefilePrivilege	4664	upx_compresser.exe
Token: SeBackupPrivilege	4664	upx_compresser.exe
Token: SeRestorePrivilege	4664	upx_compresser.exe
Token: SeShutdownPrivilege	4664	upx_compresser.exe
Token: SeDebugPrivilege	4664	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	4664	upx_compresser.exe
Token: SeChangeNotifyPrivilege	4664	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	4664	upx_compresser.exe
Token: SeUndockPrivilege	4664	upx_compresser.exe
Token: SeManageVolumePrivilege	4664	upx_compresser.exe
Token: SeImpersonatePrivilege	4664	upx_compresser.exe
Token: SeCreateGlobalPrivilege	4664	upx_compresser.exe
Token: 33	4664	upx_compresser.exe
Token: 34	4664	upx_compresser.exe
Token: 35	4664	upx_compresser.exe
Token: 36	4664	upx_compresser.exe
Token: SeDebugPrivilege	1564	jusched.exe
Token: SeIncreaseQuotaPrivilege	2880	taskhost.exe
Token: SeSecurityPrivilege	2880	taskhost.exe
Token: SeTakeOwnershipPrivilege	2880	taskhost.exe
Token: SeLoadDriverPrivilege	2880	taskhost.exe
Token: SeSystemProfilePrivilege	2880	taskhost.exe
Token: SeSystemtimePrivilege	2880	taskhost.exe
Token: SeProfSingleProcessPrivilege	2880	taskhost.exe
Token: SeIncBasePriorityPrivilege	2880	taskhost.exe
Token: SeCreatePagefilePrivilege	2880	taskhost.exe
Token: SeBackupPrivilege	2880	taskhost.exe
Token: SeRestorePrivilege	2880	taskhost.exe
Token: SeShutdownPrivilege	2880	taskhost.exe
Token: SeDebugPrivilege	2880	taskhost.exe
Token: SeSystemEnvironmentPrivilege	2880	taskhost.exe
Token: SeChangeNotifyPrivilege	2880	taskhost.exe
Token: SeRemoteShutdownPrivilege	2880	taskhost.exe
Token: SeUndockPrivilege	2880	taskhost.exe
Token: SeManageVolumePrivilege	2880	taskhost.exe
Token: SeImpersonatePrivilege	2880	taskhost.exe
Token: SeCreateGlobalPrivilege	2880	taskhost.exe
Token: 33	2880	taskhost.exe
Token: 34	2880	taskhost.exe
Token: 35	2880	taskhost.exe
Token: 36	2880	taskhost.exe
Token: SeIncreaseQuotaPrivilege	64	upx_compresser.exe
Token: SeSecurityPrivilege	64	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	64	upx_compresser.exe
Token: SeLoadDriverPrivilege	64	upx_compresser.exe
Token: SeSystemProfilePrivilege	64	upx_compresser.exe
Token: SeSystemtimePrivilege	64	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	64	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	64	upx_compresser.exe
Token: SeCreatePagefilePrivilege	64	upx_compresser.exe
Token: SeBackupPrivilege	64	upx_compresser.exe
Token: SeRestorePrivilege	64	upx_compresser.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe
944	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4108	WinlockerBuilderv5.exe
4108	WinlockerBuilderv5.exe
4944	WinlockerBuilderv5.exe
1564	jusched.exe
1564	jusched.exe
2880	taskhost.exe
4408	WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1124	3140	chrome.exe	98
PID 3140 wrote to memory of 1124	3140	chrome.exe	98
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 2980	3140	chrome.exe	100
PID 3140 wrote to memory of 4004	3140	chrome.exe	101
PID 3140 wrote to memory of 4004	3140	chrome.exe	101
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103
PID 3140 wrote to memory of 4180	3140	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\1732-89-0x0000000010560000-0x00000000105B1000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1732-89-0x0000000010560000-0x00000000105B1000-memory.exe"
1⤵
PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 216
  2⤵
  - Program crash
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3872 -ip 3872
1⤵
PID:2880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 5008 -ip 5008
1⤵
PID:728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5008 -s 840
1⤵
- Program crash
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffc52804f50,0x7ffc52804f60,0x7ffc52804f70
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3904 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1116 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1652,17481242277856486952,16378110642372643242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  PID:5352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:796

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4868

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4764
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={a30941d9-8443-4e53-837c-c508c593b09c} --system
  2⤵
  - Executes dropped EXE
  PID:4392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4828

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4108
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
    "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4664
    - - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4992
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2880
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:4420
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:64

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc52804f50,0x7ffc52804f60,0x7ffc52804f70
  2⤵
  PID:1384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc52804f50,0x7ffc52804f60,0x7ffc52804f70
  2⤵
  PID:3896

C:\Users\Admin\Desktop\driver_booster_setup.exe
"C:\Users\Admin\Desktop\driver_booster_setup.exe"
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\is-SFCIU.tmp\driver_booster_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SFCIU.tmp\driver_booster_setup.tmp" /SL5="$C05F6,25677386,139264,C:\Users\Admin\Desktop\driver_booster_setup.exe"
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\is-6Q6L7.tmp-dbinst\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6Q6L7.tmp-dbinst\setup.exe" "C:\Users\Admin\Desktop\driver_booster_setup.exe" /title="Driver Booster 8" /dbver=8.3.0.370 /eula="C:\Users\Admin\AppData\Local\Temp\is-6Q6L7.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
    3⤵
    PID:4632
  - - C:\Users\Admin\Desktop\driver_booster_setup.exe
      "C:\Users\Admin\Desktop\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon
      4⤵
      PID:492
    - - C:\Users\Admin\AppData\Local\Temp\is-H4TKQ.tmp\driver_booster_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H4TKQ.tmp\driver_booster_setup.tmp" /SL5="$90658,25677386,139264,C:\Users\Admin\Desktop\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon
        5⤵
        
        PID:1796
      - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\HWiNFO\HWiNFO.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\HWiNFO\HWiNFO.exe" /brandname
        6⤵
        
        PID:1528
      - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\CareScan.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\CareScan.exe" /savefile /silentscan /low /output="C:\Program Files (x86)\IObit\Driver Booster\8.3.0\ScanData\ScanResult_all.ini"
        6⤵
        
        PID:4164
      - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\TaskbarPin\ICONPIN64.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\TaskbarPin\ICONPIN64.exe" pin "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\DriverBooster.exe"
        6⤵
        
        PID:5004
      - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\SetupHlp.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\SetupHlp.exe" /install
        6⤵
        
        PID:4340
        
        C:\Program Files (x86)\IObit\Driver Booster\8.3.0\RttHlp.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\RttHlp.exe" /winstdate
        7⤵
        
        PID:4900
      - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\InstStat.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\InstStat.exe" /install db8
        6⤵
        
        PID:3084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.iobit.com/appgoto.php?to=install&name=db&ver=8.3.0.370&lan=&ref=db8&type=free
      4⤵
      PID:932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffc5e1e46f8,0x7ffc5e1e4708,0x7ffc5e1e4718
        5⤵
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:4840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
        5⤵
        
        PID:2140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        5⤵
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:3992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13290613445491719689,16174109150017480043,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 /prefetch:8
        5⤵
        
        PID:1252
  - - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\IObitDownloader.exe
      "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\IObitDownloader.exe" /Config=http://update.iobit.com/infofiles/db/rmd/freeware-db.upt /product=db8 "iTop VPN Installer B"
      4⤵
      PID:1524
    - - C:\ProgramData\IObit\Driver Booster\Downloader\db8\iTopSetup.exe
        
        "C:\ProgramData\IObit\Driver Booster\Downloader\db8\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre
        5⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\is-2LVET.tmp\iTopSetup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2LVET.tmp\iTopSetup.tmp" /SL5="$B0668,26431840,141312,C:\ProgramData\IObit\Driver Booster\Downloader\db8\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre
        6⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\is-UTDNG.tmp\ugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UTDNG.tmp\ugin.exe" /kill /UPGRADE
        7⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /f /im "ugin.exe"
        7⤵
        Kills process with taskkill
        
        PID:4716
        
        C:\Program Files (x86)\iTop VPN\ugin.exe
        
        "C:\Program Files (x86)\iTop VPN\ugin.exe" /kill /updagrade
        7⤵
        
        PID:2468
        
        C:\Program Files (x86)\iTop VPN\iTopVPN.exe
        
        "C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /installinit
        7⤵
        
        PID:3472
        
        C:\Program Files (x86)\iTop VPN\ugin.exe
        
        "C:\Program Files (x86)\iTop VPN\ugin.exe" /init /ver 4.2.0.3828 /force /f /inspkg "C:\ProgramData\IObit\Driver Booster\Downloader\db8\iTopSetup.exe" /insur "db_in_fre" /PINTOTASKBAR
        7⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c sc stop windivert
        8⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop windivert
        9⤵
        Launches sc.exe
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c sc stop windivert
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop windivert
        9⤵
        Launches sc.exe
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c sc delete windivert
        8⤵
        
        PID:884
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete windivert
        9⤵
        Launches sc.exe
        
        PID:1372
        
        C:\Program Files (x86)\iTop VPN\icop64.exe
        
        "C:\Program Files (x86)\iTop VPN\icop64.exe" Pin "C:\Program Files (x86)\iTop VPN\iTopVPN.exe"
        8⤵
        
        PID:320
        
        C:\Program Files (x86)\iTop VPN\ugin.exe
        
        "C:\Program Files (x86)\iTop VPN\ugin.exe" /checkwelcome
        8⤵
        
        PID:3984
        
        C:\Program Files (x86)\iTop VPN\ullc.exe
        
        "C:\Program Files (x86)\iTop VPN\ullc.exe"
        7⤵
        
        PID:180
        
        C:\Program Files (x86)\iTop VPN\ugin.exe
        
        "C:\Program Files (x86)\iTop VPN\ugin.exe" /setlan "English"
        7⤵
        
        PID:4200
        
        C:\Program Files (x86)\iTop VPN\unpr.exe
        
        "C:\Program Files (x86)\iTop VPN\unpr.exe" /install itop4
        7⤵
        
        PID:1808
        
        C:\Program Files (x86)\iTop VPN\iTopVPN.exe
        
        "C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /install
        7⤵
        
        PID:1408
        
        C:\Program Files (x86)\iTop VPN\atud.exe
        
        "C:\Program Files (x86)\iTop VPN\atud.exe" /auto
        8⤵
        
        PID:8
        
        C:\Program Files (x86)\iTop VPN\aud.exe
        
        "C:\Program Files (x86)\iTop VPN\aud.exe" /u https://stats.itopvpn.com/active_month.php /a itop4 /p itopf /v 4.2.0.3828 /t 10 /d 7 / /user
        8⤵
        
        PID:2012
        
        C:\Program Files (x86)\iTop VPN\aud.exe
        
        "C:\Program Files (x86)\iTop VPN\aud.exe" /itop /dayactive
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ipconfig /flushdns
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        9⤵
        Gathers network information
        
        PID:4316
        
        C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe
        
        "C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe" /antrun /install /state 0
        8⤵
        
        PID:4632
        
        C:\Windows\SYSTEM32\secedit.exe
        
        secedit /export /cfg C:\Users\Admin\AppData\Local\Temp\1988.inf /log C:\Users\Admin\AppData\Local\Temp\5366.log
        8⤵
        
        PID:4920
        
        C:\Windows\SYSTEM32\secedit.exe
        
        secedit /export /cfg C:\Users\Admin\AppData\Local\Temp\3497.inf /log C:\Users\Admin\AppData\Local\Temp\8913.log
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start MpsSvc
        8⤵
        Launches sc.exe
        
        PID:376
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start MpsSvc
        8⤵
        Launches sc.exe
        
        PID:1312
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start MpsSvc
        8⤵
        Launches sc.exe
        
        PID:4212
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start MpsSvc
        8⤵
        Launches sc.exe
        
        PID:936
        
        C:\Program Files (x86)\iTop VPN\ugin.exe
        
        "C:\Program Files (x86)\iTop VPN\ugin.exe" /combinslog "C:\Users\Admin\AppData\Local\Temp\Setup Log 2022-11-27 #003.txt"
        7⤵
        
        PID:1624
  - - C:\Program Files (x86)\IObit\Driver Booster\8.3.0\SetupHlp.exe
      "C:\Program Files (x86)\IObit\Driver Booster\8.3.0\SetupHlp.exe" /afterinstall /setup="C:\Users\Admin\AppData\Local\Temp\is-6Q6L7.tmp-dbinst\setup.exe"
      4⤵
      PID:696

C:\Users\Admin\Desktop\PC_Cleaner.exe
"C:\Users\Admin\Desktop\PC_Cleaner.exe"
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\is-J6TBC.tmp\PC_Cleaner.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J6TBC.tmp\PC_Cleaner.tmp" /SL5="$30650,5947172,780800,C:\Users\Admin\Desktop\PC_Cleaner.exe"
  2⤵
  PID:4848
- - C:\Program Files (x86)\PC Cleaner\unins000.exe
    "C:\Program Files (x86)\PC Cleaner\unins000.exe" /SILENT /NORESTART /SUPPRESSMSGBOXES
    3⤵
    PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\PC Cleaner\unins000.exe" /FIRSTPHASEWND=$306E2 /SILENT /NORESTART /SUPPRESSMSGBOXES
      4⤵
      PID:4948
    - - C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe
        
        "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe" /U
        5⤵
        
        PID:4740
- - C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe
    "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\wevtutil.exe
      qe Microsoft-Windows-Diagnostics-Performance/Operational /rd:true /f:xml /c:1 /q:"*[System [(EventID = 100)]]" /e:Events
      4⤵
      PID:4944
- - C:\Program Files (x86)\PC Cleaner\PCCleaner.exe
    "C:\Program Files (x86)\PC Cleaner\PCCleaner.exe"
    3⤵
    PID:2200

C:\Users\Admin\Desktop\PC_Cleaner.exe
"C:\Users\Admin\Desktop\PC_Cleaner.exe"
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\is-7PSGO.tmp\PC_Cleaner.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7PSGO.tmp\PC_Cleaner.tmp" /SL5="$90630,5947172,780800,C:\Users\Admin\Desktop\PC_Cleaner.exe"
  2⤵
  PID:1120
- - C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe
    "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
    3⤵
    PID:3164
- - C:\Program Files (x86)\PC Cleaner\PCCleaner.exe
    "C:\Program Files (x86)\PC Cleaner\PCCleaner.exe"
    3⤵
    PID:2608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Program Files (x86)\PC Cleaner\PCCleaner.exe
"C:\Program Files (x86)\PC Cleaner\PCCleaner.exe"
1⤵
PID:2024

C:\Users\Admin\Desktop\aso3setup_systweak-default.exe
"C:\Users\Admin\Desktop\aso3setup_systweak-default.exe"
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\is-CRCVN.tmp\aso3setup_systweak-default.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CRCVN.tmp\aso3setup_systweak-default.tmp" /SL5="$605F2,11352888,119296,C:\Users\Admin\Desktop\aso3setup_systweak-default.exe"
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" stop ASO3DiskOptimizer /y
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ASO3DiskOptimizer /y
      4⤵
      PID:3948
- - C:\Users\Admin\AppData\Local\Temp\is-13LM1.tmp\KillASOProcesses.exe
    "C:\Users\Admin\AppData\Local\Temp\is-13LM1.tmp\KillASOProcesses.exe"
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" stop "ASO3DiskOptimizer" /y
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ASO3DiskOptimizer" /y
        5⤵
        
        PID:408

C:\Users\Admin\Desktop\aso3setup_systweak-default.exe
"C:\Users\Admin\Desktop\aso3setup_systweak-default.exe"
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\is-QESRF.tmp\aso3setup_systweak-default.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QESRF.tmp\aso3setup_systweak-default.tmp" /SL5="$502F6,11352888,119296,C:\Users\Admin\Desktop\aso3setup_systweak-default.exe"
  2⤵
  PID:884
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" stop ASO3DiskOptimizer /y
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ASO3DiskOptimizer /y
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Local\Temp\is-7E8T9.tmp\KillASOProcesses.exe
    "C:\Users\Admin\AppData\Local\Temp\is-7E8T9.tmp\KillASOProcesses.exe"
    3⤵
    PID:4980
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" stop "ASO3DiskOptimizer" /y
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "ASO3DiskOptimizer" /y
        5⤵
        
        PID:1068
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Advanced System Optimizer 3\SecureShell.dll"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced-system-protector_startup" /f
    3⤵
    PID:952
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced-system protector_startup" /f
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced~system protector_startup" /f
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced-system-protector" /f
    3⤵
    PID:656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced-system protector" /f
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "advanced~system protector" /f
    3⤵
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://systweak.com/advanced-system-optimizer/after-install?isasof=1&LangID=en&utm_source=systweak&utm_campaign=default&affiliateid=&x-cid=default&utm_content=AfterInstall&utm_term=Setup&page=install
    3⤵
    PID:1504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5e1646f8,0x7ffc5e164708,0x7ffc5e164718
      4⤵
      PID:972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
      4⤵
      PID:4692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:2496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2236,6989088491686606671,14244937705797306391,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4092 /prefetch:8
      4⤵
      PID:2020
- - C:\Program Files (x86)\Advanced System Optimizer 3\requireadministrator.exe
    "C:\Program Files (x86)\Advanced System Optimizer 3\requireadministrator.exe" ASO3.exe -firstinstall
    3⤵
    PID:4976
  - - C:\Program Files (x86)\Advanced System Optimizer 3\ASO3.exe
      "C:\Program Files (x86)\Advanced System Optimizer 3\ASO3.exe" -firstinstall
      4⤵
      PID:316
    - - C:\Program Files (x86)\Advanced System Optimizer 3\NewScheduler.exe
        
        "C:\Program Files (x86)\Advanced System Optimizer 3\NewScheduler.exe" schedulecheckupdatefor7days
        5⤵
        
        PID:5660
    - - C:\Program Files (x86)\Advanced System Optimizer 3\SysFileBakRes.exe
        
        "C:\Program Files (x86)\Advanced System Optimizer 3\SysFileBakRes.exe" runhiddenScan
        5⤵
        
        PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8602138903874f97a3a7f5ac2cb2194a /t 4304 /p 316
1⤵
PID:4380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:264

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2188

C:\Users\Admin\Desktop\clamwin-0.99.4-setup.exe
"C:\Users\Admin\Desktop\clamwin-0.99.4-setup.exe"
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\is-7I9FU.tmp\is-L3UTD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7I9FU.tmp\is-L3UTD.tmp" /SL4 $15074C "C:\Users\Admin\Desktop\clamwin-0.99.4-setup.exe" 172395663 52736
  2⤵
  PID:5356
- - C:\Program Files (x86)\ClamWin\bin\ClamWin.exe
    "C:\Program Files (x86)\ClamWin\bin\ClamWin.exe" --mode=update --close
    3⤵
    PID:5752
  - - C:\Program Files (x86)\ClamWin\bin\freshclam.exe
      "C:\Program Files (x86)\ClamWin\bin\freshclam.exe" --show-progress --stdout --datadir="C:\ProgramData\.clamwin\db" --config-file="c:\users\admin\appdata\local\temp\tmpg7v3uc" --log="c:\users\admin\appdata\local\temp\tmptntd15"
      4⤵
      PID:5812
- - C:\Program Files (x86)\ClamWin\bin\ClamTray.exe
    "C:\Program Files (x86)\ClamWin\bin\ClamTray.exe"
    3⤵
    PID:5124

C:\Users\Admin\Desktop\ReimageRepair.exe
"C:\Users\Admin\Desktop\ReimageRepair.exe"
1⤵
PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
    3⤵
    PID:1344
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid';"
  2⤵
  PID:5348
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%';"
  2⤵
  PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_tracking';"
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_tracking_%';"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
    3⤵
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_campaign';"
  2⤵
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_campaign_%';"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Reimage.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:2304

C:\Users\Admin\Desktop\ReimageRepair.exe
"C:\Users\Admin\Desktop\ReimageRepair.exe"
1⤵
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:5700
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"
    3⤵
    PID:4108
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_trackid_%';"
  2⤵
  PID:5432
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_trackid';"
  2⤵
  PID:5444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:5232
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_tracking';"
  2⤵
  PID:5340
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_tracking_%';"
  2⤵
  PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"
    3⤵
    PID:5364
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_campaign';"
  2⤵
  PID:5788
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_campaign_%';"
  2⤵
  PID:5192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq avupdate.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5520
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\jscript.dll"
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq ReimagePackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq ReimagePackage.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:3084
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq GeoProxy.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_country';"
    3⤵
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%reimageplus.com' and name='_country';"
  2⤵
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%reimageplus.com' and name like '_country_%';"
  2⤵
  PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Wireshark.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq Fiddler.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:3288
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq smsniff.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe
  "C:\Users\Admin\AppData\Local\Temp\ReimagePackage.exe" /GUI=http://www.reimageplus.com/GUI/GUI1970/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=e9cc02c8833c43d5a2bd698bc9&lang_code=en&bundle=0&loadresults=0&ShowSettings=false "/Location=C:\Users\Admin\Desktop\ReimageRepair.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=1956 /RunSilent=false /SessionID=3edb2714-2bc4-4c73-a439-5cc022b9aa5a /IDMinorSession=e9cc02c8833c43d5a2bd698bc9 /pxkp=Delete /ScanSilent=0 /Close=0 /cil=DISABLED /ShowName=False /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5568
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Reimage.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq avupdate.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5996
- - C:\Program Files\Reimage\Reimage Repair\lzma.exe
    "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
    3⤵
    PID:4380
- - C:\Program Files\Reimage\Reimage Repair\lzma.exe
    "C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq REI_avira.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq REI_avira.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4348
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
    3⤵
    PID:5768
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"
      4⤵
      PID:5584
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
    3⤵
    PID:4944
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"
      4⤵
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\nsm972A.tmp\ProtectorUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\nsm972A.tmp\ProtectorUpdater.exe" /S /MinorSessionID=e9cc02c8833c43d5a2bd698bc9 /SessionID=3edb2714-2bc4-4c73-a439-5cc022b9aa5a /TrackID= /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1956 /Iav=False
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq UniProtectorPackage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq UniProtectorPackage.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe
      "C:\Users\Admin\AppData\Local\Temp\UniProtectorPackage.exe" /S /MinorSessionID=e9cc02c8833c43d5a2bd698bc9 /SessionID=3edb2714-2bc4-4c73-a439-5cc022b9aa5a /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
      4⤵
      PID:5692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq ReiScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:3144
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ReiScanner.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5344
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:5932
    - - C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
        
        "C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -install
        5⤵
        
        PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq ReiGuard.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq ReiGuard.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq ReimageApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:2800
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq ReimageApp.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /TN ReimageUpdater /F
    3⤵
    PID:5920
- - C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe
    "C:\Program Files\Reimage\Reimage Protector\ReimageApp.exe"
    3⤵
    PID:2996
- - C:\Program Files\Reimage\Reimage Repair\Reimage.exe
    "C:\Program Files\Reimage\Reimage Repair\Reimage.exe" http://www.reimageplus.com/GUI/GUI1970/layout.php?consumer=1&gui_branch=0&trackutil=&MinorSessionID=e9cc02c8833c43d5a2bd698bc9&lang_code=en&bundle=0&loadresults=0&ShowSettings=false /Locale=1033
    3⤵
    PID:884
  - - C:\Windows\SYSTEM32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4552

C:\Users\Admin\Desktop\Restoro.exe
"C:\Users\Admin\Desktop\Restoro.exe"
1⤵
PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_trackid_product_24';"
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_trackid_product_24_%';"
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
    3⤵
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_tracking_product_24';"
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_tracking_product_24_%';"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
    3⤵
    PID:4784
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_campaign_product_24';"
  2⤵
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_campaign_product_24_%';"
  2⤵
  PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq avupdate.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5492
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\jscript.dll"
  2⤵
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\Restoro.exe
  "C:\Users\Admin\AppData\Local\Temp\Restoro.exe" /update=1 /Language=1033 /tracking=0 /campaign=0 /adgroup=0 /Ads_Name=0 /Keyword=0 /ResumeInstall=2 /RunSilent=false /pxkp=Delete /ShowName=False /StartScan=0 /ShowSettings=false /ScanConfirm=false /onboard=
  2⤵
  PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
      4⤵
      PID:5724
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_trackid_product_24';"
    3⤵
    PID:5604
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_trackid_product_24_%';"
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:5480
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
      4⤵
      PID:6020
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_tracking_product_24';"
    3⤵
    PID:5224
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_tracking_product_24_%';"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
      4⤵
      PID:5536
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_campaign_product_24';"
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_campaign_product_24_%';"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq RestoroMain.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:1080
- - C:\Windows\SYSTEM32\regsvr32.exe
    regsvr32 /s "C:\Windows\system32\jscript.dll"
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq RestoroSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq RestoroSetup.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5192
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
      4⤵
      Enumerates processes with tasklist
      PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq GeoProxy.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_country_product_24';"
      4⤵
      PID:5740
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_country_product_24';"
    3⤵
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_country_product_24_%';"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5252
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Wireshark.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5656
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq Fiddler.exe"
      4⤵
      Enumerates processes with tasklist
      PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq smsniff.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe" /GUI=http://www.restoro.com/ui/2100/layout.php?consumer=1&trackutil=&MinorSessionID=2baba67f6e81451299104155fa&lang_code=en&trial=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Restoro.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=2100 /RunSilent=false /SessionID=07c4fb5d-bd0b-4b6f-8472-6099a8cf10c4 /IDMinorSession=2baba67f6e81451299104155fa /pxkp=Delete /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
    3⤵
    PID:6036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroMain.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:972
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avupdate.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:544
  - - C:\Program Files\Restoro\lzma.exe
      "C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\ax.lza" "C:\Program Files\Restoro\ax.dll"
      4⤵
      PID:796
  - - C:\Program Files\Restoro\lzma.exe
      "C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\engine.lza" "C:\Program Files\Restoro\engine.dll"
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroAM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:204
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroAM.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1440
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Restoro\ax.dll"
      4⤵
      PID:4948
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\Restoro\ax.dll"
        5⤵
        
        PID:5268
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files\Restoro\engine.dll"
      4⤵
      PID:5472
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\Restoro\engine.dll"
        5⤵
        
        PID:432
  - - C:\Users\Admin\AppData\Local\Temp\nso1C86.tmp\RestoroUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\nso1C86.tmp\RestoroUpdater.exe" /S /MinorSessionID=2baba67f6e81451299104155fa /SessionID=07c4fb5d-bd0b-4b6f-8472-6099a8cf10c4 /TrackID= /AgentLogLocation=C:\C:\ProgramData\Restoro\bin\results /CflLocation=C:\ProgramData\Restoro\cfl.rei /Install=True /DownloaderVersion=2100 /Iav=False
      4⤵
      PID:5212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        5⤵
        
        PID:4704
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5400
    - - C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe" /S /MinorSessionID=2baba67f6e81451299104155fa /SessionID=07c4fb5d-bd0b-4b6f-8472-6099a8cf10c4 /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
        5⤵
        
        PID:3648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        6⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroScanner.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3080
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C tasklist /FI "IMAGENAME eq RestoroUI.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
        6⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroUI.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:5600
      - C:\Program Files\Restoro\bin\RestoroProtection.exe
        
        "C:\Program Files\Restoro\bin\RestoroProtection.exe" -install
        6⤵
        
        PID:5244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroProtection.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroProtection.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C tasklist /FI "IMAGENAME eq RestoroApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq RestoroApp.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:4656
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN RestoroActiveProtection /F
      4⤵
      PID:5724
  - - C:\Program Files\Restoro\bin\RestoroApp.exe
      "C:\Program Files\Restoro\bin\RestoroApp.exe"
      4⤵
      PID:4912
  - - C:\Program Files\Restoro\RestoroMain.exe
      "C:\Program Files\Restoro\RestoroMain.exe" http://www.restoro.com/ui/2100/layout.php?consumer=1&trackutil=&MinorSessionID=2baba67f6e81451299104155fa&lang_code=en&trial=0&ShowSettings=false /Locale=1033
      4⤵
      PID:5472

C:\Users\Admin\Desktop\Restoro.exe
"C:\Users\Admin\Desktop\Restoro.exe"
1⤵
PID:6132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
    3⤵
    PID:5216
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_trackid_product_24';"
  2⤵
  PID:5488
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_trackid_product_24_%';"
  2⤵
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vraoxd0z.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
    3⤵
    PID:1112
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_tracking_product_24';"
  2⤵
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_tracking_product_24_%';"
  2⤵
  PID:5420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
  2⤵
  PID:5280
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select value, expires_utc from cookies where host_key like '%restoro.com' and name='_campaign_product_24';"
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
  "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" "select name, expires_utc from cookies where host_key like '%restoro.com' and name like '_campaign_product_24_%';"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq RestoroMain.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq avupdate.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6012

C:\Users\Admin\Desktop\RegpairSetup.exe
"C:\Users\Admin\Desktop\RegpairSetup.exe"
1⤵
PID:5936
- C:\PROGRA~2\FREEWI~1\Regpair.exe
  "C:\PROGRA~2\FREEWI~1\Regpair.exe"
  2⤵
  PID:4396

C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe"
1⤵
PID:6004
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  "C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe"
  2⤵
  PID:448
- C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
  commadnlinetogetexplorerhistory 3600 "C:\Users\Admin\AppData\Local\Temp\241902578_file.txt"
  2⤵
  PID:4592

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1152

C:\Program Files\Restoro\bin\RestoroProtection.exe
"C:\Program Files\Restoro\bin\RestoroProtection.exe"
1⤵
PID:5572
- C:\Program Files\Restoro\bin\RestoroService.exe
  "C:\Program Files\Restoro\bin\RestoroService.exe"
  2⤵
  PID:5464

C:\Users\Admin\Desktop\CursorSnowflakes.exe
"C:\Users\Admin\Desktop\CursorSnowflakes.exe"
1⤵
PID:3792

C:\Users\Admin\Desktop\CursorSnowflakes.exe
"C:\Users\Admin\Desktop\CursorSnowflakes.exe"
1⤵
PID:952

C:\Users\Admin\Desktop\ChristmasTaskbar.exe
"C:\Users\Admin\Desktop\ChristmasTaskbar.exe"
1⤵
PID:3152

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2080

C:\Users\Admin\Desktop\ChristmasFireplace.exe
"C:\Users\Admin\Desktop\ChristmasFireplace.exe"
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_1520669170\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe

Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe

Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe

Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
\??\c:\users\admin\appdata\local\temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
memory/8-313-0x0000000005EB1000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/8-314-0x0000000005EB1000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/8-316-0x0000000005EB1000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/8-309-0x0000000005EB0000-0x000000000609A000-memory.dmp

Filesize
1.9MB

Download
memory/8-311-0x0000000005EB1000-0x000000000600F000-memory.dmp

Filesize
1.4MB

Download
memory/64-177-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/492-193-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/492-196-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/492-208-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/696-213-0x0000000003D10000-0x0000000003E1D000-memory.dmp

Filesize
1.1MB

Download
memory/1408-289-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-290-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-308-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-307-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-274-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-305-0x00000000736F0000-0x0000000073713000-memory.dmp

Filesize
140KB

Download
memory/1408-306-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-275-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-276-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-277-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-278-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-279-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-304-0x0000000009150000-0x00000000093B3000-memory.dmp

Filesize
2.4MB

Download
memory/1408-280-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-281-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-282-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-283-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-284-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-286-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-303-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-302-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-301-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-300-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-285-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-299-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-298-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-297-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-296-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-295-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-317-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-287-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-288-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-318-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-312-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-310-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-273-0x0000000007110000-0x00000000072FA000-memory.dmp

Filesize
1.9MB

Download
memory/1408-291-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-292-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-293-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-315-0x0000000009151000-0x0000000009276000-memory.dmp

Filesize
1.1MB

Download
memory/1408-294-0x0000000007111000-0x000000000726F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-160-0x0000000001CEA000-0x0000000001CEF000-memory.dmp

Filesize
20KB

Download
memory/1564-146-0x00007FFC416E0000-0x00007FFC42116000-memory.dmp

Filesize
10.2MB

Download
memory/1564-180-0x0000000001CEA000-0x0000000001CEF000-memory.dmp

Filesize
20KB

Download
memory/1564-184-0x0000000001CEA000-0x0000000001CEF000-memory.dmp

Filesize
20KB

Download
memory/1672-406-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1672-450-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-215-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1876-220-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1876-262-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1876-235-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2080-189-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2080-185-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2080-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2080-191-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2212-408-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2212-407-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-202-0x000000000E360000-0x000000000E401000-memory.dmp

Filesize
644KB

Download
memory/2864-264-0x0000000014A10000-0x0000000014AB1000-memory.dmp

Filesize
644KB

Download
memory/2880-181-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-165-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3028-244-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3028-221-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3028-236-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3028-218-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3084-207-0x0000000003BE0000-0x0000000003CED000-memory.dmp

Filesize
1.1MB

Download
memory/3872-132-0x0000000000550000-0x00000000005A1000-memory.dmp

Filesize
324KB

Download
memory/3960-272-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3960-248-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3960-241-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3960-238-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4108-139-0x000000000137A000-0x000000000137F000-memory.dmp

Filesize
20KB

Download
memory/4108-157-0x000000000137A000-0x000000000137F000-memory.dmp

Filesize
20KB

Download
memory/4108-138-0x00007FFC416E0000-0x00007FFC42116000-memory.dmp

Filesize
10.2MB

Download
memory/4164-200-0x0000000003EB0000-0x0000000003FBD000-memory.dmp

Filesize
1.1MB

Download
memory/4256-156-0x00000000021D0000-0x00000000021D9000-memory.dmp

Filesize
36KB

Download
memory/4340-203-0x0000000003D20000-0x0000000003E2D000-memory.dmp

Filesize
1.1MB

Download
memory/4408-176-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4408-183-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4408-182-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4664-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4900-205-0x0000000002680000-0x000000000278D000-memory.dmp

Filesize
1.1MB

Download
memory/4944-179-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4944-153-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4944-178-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/5016-545-0x0000000072FD0000-0x0000000072FDB000-memory.dmp

Filesize
44KB

Download
memory/5016-550-0x0000000072FD0000-0x0000000072FDB000-memory.dmp

Filesize
44KB

Download
memory/5212-562-0x0000000073150000-0x000000007315B000-memory.dmp

Filesize
44KB

Download
memory/5212-566-0x0000000073150000-0x000000007315B000-memory.dmp

Filesize
44KB

Download
memory/5324-453-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5324-506-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download