cryptbot | 66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764

Resubmissions

16-01-2023 10:07

230116-l5vegshc3x 10

10-01-2023 20:37

10-01-2023 18:54

10-01-2023 18:48

10-01-2023 18:47

10-01-2023 18:44

Analysis

max time kernel
259s
max time network
435s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bonzify.exe
Size

6.4MB
MD5

fba93d8d029e85e0cde3759b7903cee2
SHA1

525b1aa549188f4565c75ab69e51f927204ca384
SHA256

66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA512

7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
SSDEEP

196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD

Score

10^/10

cryptbot discovery exploit persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

http://quwsgq110.top/gate.php

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Executes dropped EXE 4 IoCs

Processes:

INSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exe

pid process

1916 INSTALLER.exe
1172 AgentSvr.exe
1484 INSTALLER.exe
1540 AgentSvr.exe

pid	process
1916	INSTALLER.exe
1172	AgentSvr.exe
1484	INSTALLER.exe
1540	AgentSvr.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INSTALLER.exeINSTALLER.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1700 takeown.exe
364 icacls.exe

pid	process
1700	takeown.exe
364	icacls.exe

Loads dropped DLL 29 IoCs

Processes:

Bonzify.exeINSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeAgentSvr.exeINSTALLER.exeregsvr32.exeregsvr32.exeAgentSvr.exe

pid	process
1668	Bonzify.exe
1916	INSTALLER.exe
1916	INSTALLER.exe
1916	INSTALLER.exe
1916	INSTALLER.exe
560	regsvr32.exe
2040	regsvr32.exe
1600	regsvr32.exe
960	regsvr32.exe
1120	regsvr32.exe
1180	regsvr32.exe
820	regsvr32.exe
1916	INSTALLER.exe
1916	INSTALLER.exe
1172	AgentSvr.exe
1172	AgentSvr.exe
1172	AgentSvr.exe
1668	Bonzify.exe
1484	INSTALLER.exe
1484	INSTALLER.exe
1484	INSTALLER.exe
1484	INSTALLER.exe
564	regsvr32.exe
564	regsvr32.exe
1280	regsvr32.exe
1668	Bonzify.exe
1540	AgentSvr.exe
1540	AgentSvr.exe
1540	AgentSvr.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1700 takeown.exe
364 icacls.exe

pid	process
1700	takeown.exe
364	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INSTALLER.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

INSTALLER.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SET199F.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SET199F.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Windows directory 58 IoCs

Processes:

INSTALLER.exeBonzify.exeINSTALLER.exe

description	ioc	process
File opened for modification	C:\Windows\msagent\SET1311.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12C8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File created	C:\Windows\msagent\SET12FE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SET12FF.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File opened for modification	C:\Windows\msagent\SET12D8.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET12D9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12FE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SET198D.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET1311.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET12D8.tmp	INSTALLER.exe
File created	C:\Windows\help\SET12FF.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SET1310.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET198B.tmp	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\intl\SET1310.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SET198C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET199E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12EC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12ED.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET198B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\msagent\SET12C7.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET12FD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12C7.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12DA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File created	C:\Windows\msagent\SET12EB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File created	C:\Windows\msagent\SET12ED.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File created	C:\Windows\msagent\SET12C8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File created	C:\Windows\lhsp\help\SET198C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET12FD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	INSTALLER.exe
File created	C:\Windows\INF\SET199E.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12EB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET197B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File created	C:\Windows\fonts\SET198D.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET12D9.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET12EC.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET197B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File created	C:\Windows\msagent\SET12DA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2136 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2708 timeout.exe

pid	process
2136	schtasks.exe

pid	process
2708	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1652 taskkill.exe

pid	process
1652	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff0000000000000000200300002c020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000010000000083ffff0083ffffffffffffffffffff0000000000000000200300002c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64970191-958E-11ED-84FB-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\TreatAs\ = "{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.1\CLSID\ = "{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ = "IAgentEx"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ = "IAgentNotifySinkEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR\ = "C:\\Windows\\msagent\\"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlPropertySheet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\ = "Agent Custom Proxy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\ProgID\ = "Agent.Server.2"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\ = "Microsoft Agent Character File"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exechrome.exechrome.exe

pid	process
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1120	chrome.exe
1672	chrome.exe
1672	chrome.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1628 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

taskkill.exeAUDIODG.EXEINSTALLER.exeINSTALLER.exeAgentSvr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1652	taskkill.exe
Token: 33	796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	796	AUDIODG.EXE
Token: 33	796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	796	AUDIODG.EXE
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1916	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: SeRestorePrivilege	1484	INSTALLER.exe
Token: 33	1540	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	1540	AgentSvr.exe
Token: SeDebugPrivilege	1628	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AgentSvr.exetaskmgr.exechrome.exe

pid	process
1540	AgentSvr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1540	AgentSvr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

AgentSvr.exetaskmgr.exechrome.exe

pid	process
1540	AgentSvr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1540	AgentSvr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3032 iexplore.exe
3032 iexplore.exe
2936 IEXPLORE.EXE
2936 IEXPLORE.EXE
2936 IEXPLORE.EXE
2936 IEXPLORE.EXE

pid	process
3032	iexplore.exe
3032	iexplore.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bonzify.execmd.exeINSTALLER.exe

description	pid	process	target process
PID 1668 wrote to memory of 896	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 896	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 896	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 896	1668	Bonzify.exe	cmd.exe
PID 896 wrote to memory of 1652	896	cmd.exe	taskkill.exe
PID 896 wrote to memory of 1652	896	cmd.exe	taskkill.exe
PID 896 wrote to memory of 1652	896	cmd.exe	taskkill.exe
PID 896 wrote to memory of 1652	896	cmd.exe	taskkill.exe
PID 896 wrote to memory of 1700	896	cmd.exe	takeown.exe
PID 896 wrote to memory of 1700	896	cmd.exe	takeown.exe
PID 896 wrote to memory of 1700	896	cmd.exe	takeown.exe
PID 896 wrote to memory of 1700	896	cmd.exe	takeown.exe
PID 896 wrote to memory of 364	896	cmd.exe	icacls.exe
PID 896 wrote to memory of 364	896	cmd.exe	icacls.exe
PID 896 wrote to memory of 364	896	cmd.exe	icacls.exe
PID 896 wrote to memory of 364	896	cmd.exe	icacls.exe
PID 1668 wrote to memory of 1884	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 1884	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 1884	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 1884	1668	Bonzify.exe	cmd.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1668 wrote to memory of 1916	1668	Bonzify.exe	INSTALLER.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 560	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 2040	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1600	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 960	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1120	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1180	1916	INSTALLER.exe	regsvr32.exe
PID 1916 wrote to memory of 1180	1916	INSTALLER.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\Bonzify.exe
"C:\Users\Admin\AppData\Local\Temp\Bonzify.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AgentSvr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\takeown.exe
takeown /r /d y /f C:\Windows\MsAgent
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1700

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\WerFault.exe"
2⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:560

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2040

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
3⤵
- Loads dropped DLL
PID:1600

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:960

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1120

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
3⤵
- Loads dropped DLL
PID:1180

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
3⤵
- Loads dropped DLL
PID:820

C:\Windows\msagent\AgentSvr.exe
"C:\Windows\msagent\AgentSvr.exe" /regserver
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1172

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
INSTALLER.exe /q
2⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
3⤵
- Loads dropped DLL
PID:564

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1280

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
3⤵
PID:1320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:624

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5384f50,0x7fef5384f60,0x7fef5384f70
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1084 /prefetch:2
2⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3224 /prefetch:2
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1244 /prefetch:1
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:8
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
2⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1072,11910681471121785318,13593212560469071800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 /prefetch:8
2⤵
PID:2812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5384f50,0x7fef5384f60,0x7fef5384f70
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1004,17601220659163923565,2807452815285146693,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1012 /prefetch:2
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1004,17601220659163923565,2807452815285146693,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1432 /prefetch:8
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6754f50,0x7fef6754f60,0x7fef6754f70
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=988 /prefetch:2
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1364 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:8
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3268 /prefetch:2
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1160 /prefetch:8
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1220 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1228 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1500 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=968,7608274179598936834,4495391675188452378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 /prefetch:8
2⤵
PID:2680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14230:98:7zEvent24593
1⤵
PID:2648

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32569:72:7zEvent28987
1⤵
PID:2876

C:\Users\Admin\Desktop\App-Software.exe
"C:\Users\Admin\Desktop\App-Software.exe"
1⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
/C schtasks /create /tn \Mozilla\kekkww /tr """"C:\Users\Admin\AppData\Roaming\ytavv\mchost.exe""" """C:\Users\Admin\AppData\Roaming\ytavv\mchost.chm"""" /st 00:10 /du 9700:20 /sc once /ri 1 /f
2⤵
PID:2464

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Mozilla\kekkww /tr """"C:\Users\Admin\AppData\Roaming\ytavv\mchost.exe""" """C:\Users\Admin\AppData\Roaming\ytavv\mchost.chm"""" /st 00:10 /du 9700:20 /sc once /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\Desktop\App-Software.exe"
2⤵
PID:2736

C:\Windows\SysWOW64\timeout.exe
timeout -t 5
3⤵
- Delays execution with timeout.exe
PID:2708

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {D7DF63AD-298A-40E6-B946-97EDD0E9D245} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:2892

C:\Users\Admin\AppData\Roaming\ytavv\mchost.exe
C:\Users\Admin\AppData\Roaming\ytavv\mchost.exe "C:\Users\Admin\AppData\Roaming\ytavv\mchost.chm"
2⤵
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillAgent.bat
Filesize
161B

MD5
ea7df060b402326b4305241f21f39736

SHA1
7d58fb4c58e0edb2ddceef4d21581ff9d512fdc2

SHA256
e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793

SHA512
3147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat
Filesize
46B

MD5
f80e36cd406022944558d8a099db0fa7

SHA1
fd7e93ca529ed760ff86278fbfa5ba0496e581ce

SHA256
7b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7

SHA512
436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2

Download Submit
C:\Users\Admin\Desktop\AddSave.xltx
Filesize
402KB

MD5
be13196693e32f5490d0bd9cb4fa57c4

SHA1
a59e140ff647bfcdbf62cd9840f7d278f07edd04

SHA256
5659044d515206eccbf72f1118c4420c794455f2c024a94d1a34ea317f78b223

SHA512
8e54462dfc2092587131705374d1297b6299d908e75b3bb8e9907e5180cf8002df99a2d6782a778541648a7ba3ecb4c09a54de42754b25845873694d15ed5b68

Download Submit
C:\Users\Admin\Desktop\BlockCopy.pot
Filesize
545KB

MD5
6e4adb3a7968a4850239dd77208fdc44

SHA1
e33ab69cfea3a0a2fca5ce9b08d302acc0812ae3

SHA256
0e5693489733579aece7f18a19442aa5efb802591f11142f4b5e8dd55f0e7bdd

SHA512
baca99ea2c17439062e4a31f0009dc939906876b47dbf9914a7f08a918a22b3bc63524d9692def7da1052b0ff4f9a0028d2005095b8d7593b0e4eb0d4c551ed4

Download Submit
C:\Users\Admin\Desktop\CheckpointInvoke.emf
Filesize
474KB

MD5
091e7417dec7f4bf3a1bdd9bbc0bf3df

SHA1
210aac2cdfb9d1db3e956a553addd3a15cba9c6f

SHA256
45af845d8523e6c58b090041042e0ebbed93f72de0ece293f8a9a347dd4b39ff

SHA512
3468c4460ec84e0db01c00364b690440bc282b140c42492ba587df46bad1b9b28fac372733a8ca30cedfe6fe17441e754b46cc69dbe4b538e4f19985f6bd6b24

Download Submit
C:\Users\Admin\Desktop\CheckpointProtect.vssm
Filesize
790KB

MD5
737876a0fd1e92f1e65040d51dae5c5b

SHA1
c725ea8f6f7fcd146f936626eb65ecee604d04aa

SHA256
88a69aa3396d92d16ea1a88ddfd30dd3b8057a063e3c8235f17eabfcaf1d69f1

SHA512
0f017fe39f4aa3087ce5b5fb4df51e2d4d0d67f5b03a59d78624fcc611525de448a4fdd55f8e9cb6187b9c1fd51f0ba40063ee56023c2160d8bc2157d8f8080f

Download Submit
C:\Users\Admin\Desktop\ConvertToOpen.snd
Filesize
517KB

MD5
03afadc0da8baf3572611385f5b9b328

SHA1
97d5b26d4ac0d25a1562acc1441135447736e04b

SHA256
6865c10943637a051b9e774589c9387de175b2f30cc1e04bf938087e7aaa3712

SHA512
30a49947419c7182961c3c3da5d9fd201a1aee01eed69b5dbf0ca74cce5651620b748bdb14d3501011969f0bf140fdefced928533bb3dc4768461ba3a44fea86

Download Submit
C:\Users\Admin\Desktop\DebugConvertTo.mpeg
Filesize
344KB

MD5
5207a306e7b29adcb1fd2482a7a91486

SHA1
193f44b850dd116e474db883369a462a20e3c9fd

SHA256
ec3f3216db959b20e8bf40290282fb4c2663ce8f1f73edd721870d0fed2f00db

SHA512
0899e7a2d43b68330c9a15e7022e0cc650d7b195bd058e0d69bb358218095d3d89bc247e69edbf2aae3a29e7f2b5a09a29ffb3ba4ef0e488a42b1db8a9a07e1c

Download Submit
C:\Users\Admin\Desktop\GrantExpand.xps
Filesize
272KB

MD5
360405afd4c854779defa4a258dd1884

SHA1
d5175dd4e04d28695842164fca89deee33920850

SHA256
d4a880ccb47637b6f684804af2a31baacbca617a62ba48b4892af893a29affbc

SHA512
104eb29363968386343c1d6d9d12bea84e963bf1f7a0c9c4341d6b709c37bcb04235649ae85acde452700aabb6b8a5e55f428aebdd00ba990f01bc694ce22c1e

Download Submit
C:\Users\Admin\Desktop\MountSend.mp3
Filesize
502KB

MD5
3261ddd125005e2042804b4b722cc6b1

SHA1
c6fc328d02b98fd44f4f85da0a684e69649f46bc

SHA256
b65ff2403b98b376edd055c52ffec64c6ff37c8c5e5a58f3e599349d42b497ae

SHA512
fabbadb07438cdd37673b2c16eddc6805411d89e6dc5a18eb5354a59f656658be9d733776a1d0be1ca8d131b613ada5e4b72db24990fe424475cde767d71b55d

Download Submit
C:\Users\Admin\Desktop\MoveEnable.svg
Filesize
258KB

MD5
4f3b0cbda0784ea6037695435b58caf2

SHA1
fe458a438d6ec9ab44a7edee99645f2f9155631c

SHA256
6fd28bc7190fc871443ccda48073dc49c81ae89cb123e0c43df036ae5d6068a7

SHA512
1587470f66ec32cef078a2e43a9178c1f87223b464499449b9d34339b098b4e12ecdde8967d403eb81f8bdd0b0e7c2a186b66917e3cc529cb397f53ad08d5d98

Download Submit
C:\Users\Admin\Desktop\PingDebug.mid
Filesize
373KB

MD5
761f9658416e421965a334a4aebb5a45

SHA1
57d2a471b00eae2d9e38fc53161b6faeb95c5c91

SHA256
410574a97b172fcec823a01b0ca7df86e02c7e60271fd58713f387f114850d89

SHA512
3d7c22997db4b10bc9a588988d4a01fd433ef3d64da418594f526251ec68c8c765c430575ab19f9591e36e9e068732116cc4124957d9e69d80b39608d4e18cce

Download Submit
C:\Users\Admin\Desktop\PublishDismount.emz
Filesize
244KB

MD5
5a46adc804d42e46e87eaa0ca984ff89

SHA1
53bc1201efdd0e8c512c4f70f751f649c7b1d2b5

SHA256
ec98c0fcc1e2d05db65c9b671887591bcba5975adeae4378370da611414b9338

SHA512
766a857304ad3263d09b220d16f48ad3e91e9a7fe2a2e995c9cf8bc513cc1b9be5f262f5c92ea500d3bc94e5c36dd72d3f7d954d0782511e591e2a9655560483

Download Submit
C:\Users\Admin\Desktop\PublishExit.mht
Filesize
431KB

MD5
7ea2588ed74608d68d4291f33255d829

SHA1
e1b60762d484de343f84c34fb864a28828a5cd21

SHA256
91e3671b3c7563f9f8d1a576bfc1d0649987b8025bc173e0f2c7c73c283eedff

SHA512
6df99cfde6d75dc5718e466dafeee531bfbdc846c92694f756cf4a05fb962fab302109e5096b11321368b00d1de7f501933585db4162f60057735555398a858f

Download Submit
C:\Users\Admin\Desktop\ReadReceive.mht
Filesize
574KB

MD5
9442bc75c753675242bc75065d7d47e8

SHA1
437a3b79de511bca1903bac2d4ef19ec05957669

SHA256
c813d13ff0950de20204a859c3e6d4879325cee5096942cd9b4fa6c4ce9fa70c

SHA512
a008cb9c88eb5425a8668dc84877ed7e70b32147f04818e048a898bb21f542ee421a185635049568a41a995358d2b0ae2e980eec24a4522559949e1b41ac3ae3

Download Submit
C:\Users\Admin\Desktop\RedoConvert.css
Filesize
201KB

MD5
32227b4bee42aa192c07c5df70416265

SHA1
5b505ba977bb226b59dedb76a3dbfe6d62987a25

SHA256
d6f0cabfea685f6817f8269ee24357699e96a911b85ea2d66aa8a303800163d9

SHA512
04b5f4cdbb5c83af50555bca383667828417f363962d8b010976ce529a334167ca284c7404dc7780f91ab45e80e7330cc53640d6aa3f0b034fdff45008da20b1

Download Submit
C:\Users\Admin\Desktop\RequestOut.txt
Filesize
330KB

MD5
8c7ee39837982b769ce4ceb02caa7ac9

SHA1
d7a51f48171a50e2866020dcaa7ee84df2b79744

SHA256
81fbb907063340d19d111bc1d196a5e7a0b260713c20508c7f166c1a552825ad

SHA512
c1df03eaa0463ca5b5bdc2adf72f6a24663f237eba919c720557e433d9a2b236854cb53a54d521b457a8466cdf12fa05d1f33a9611fbd9529d9a5eeec8580519

Download Submit
C:\Users\Admin\Desktop\ResetWrite.dwfx
Filesize
316KB

MD5
5822552a3aa5ec0084711afdf7f66b01

SHA1
13c8616fc0c0b3c70547113f1448769fb33e496e

SHA256
c4282502696285d475c579fbc0986e4958df517a2c8f07b2058cb434eba8b036

SHA512
388e01f74780bbebc1257f69d3d15899cbf45467759af329584cefa32dd787e64590236a7ebfdcc034920f4da7cf65c584a0571531de7043c309c0eb783f339e

Download Submit
C:\Users\Admin\Desktop\RevokeDismount.xlsm
Filesize
416KB

MD5
eb7f26fd345399f51f15a49de5bf9718

SHA1
557e9c519384c9869b1e574fb61c3315387a41f2

SHA256
849d6d25137cefcc49f729b571d753ca26bf854092b79b378f5e248fd074f1c9

SHA512
43da74d4f475c2005f5da77f6e53465b38bb90a3512291cb5254a684625f57cdac140dfd27a32ada080a775d2f4bece78d0dc17cda569032cdc5b1e8bda75cc5

Download Submit
C:\Users\Admin\Desktop\RevokeOut.dwg
Filesize
229KB

MD5
c04e626f1380e0033f7a8651b548616b

SHA1
4c7c3cc69c82af88969d5bf44919c042c0f3ee06

SHA256
53ce44d22e480ce3a1d4e824e8498f2e96158b0fabe062c2532f5dd0845cce0c

SHA512
30772c611342589986492b21b8f9b6c72a50e52e26be8cfde88d3de755338bba8d5afb4046795f1793991cb6e59d77949954e7decda45a015a10a11cd39b47fb

Download Submit
C:\Users\Admin\Desktop\RevokeRestore.docx
Filesize
488KB

MD5
bc4606241e5aff5f6ef63df57e74548a

SHA1
843f6a4fd34fb7de60dbbcb21af7f72dbf4485bf

SHA256
db90581085d46a78110c9ad23dd0c6fc6fbbb2c3dc5bed7fbc25296cf02c4cea

SHA512
b8612e87d47c771409b821aa38447dc5876f9117a9ce6e46822c2aaf310ed96d3f1fa13a7e6fefee0dcf9991084bec7fe24434604e7af01a6a1bf23188ce79fd

Download Submit
C:\Users\Admin\Desktop\RevokeUnpublish.mht
Filesize
459KB

MD5
8bf525461cd6a798852a4d4b6604571f

SHA1
a795d83b4f17065523c345471ad65f3800aea1a5

SHA256
5b687d639449af816dbe6e7f09aa6ab9cd36f3c30168f9ecdaccdfed5c9f7358

SHA512
6f1d3a3165acfe79b3e8b190cc6a69ee23faf2385bf75a5066a3d1a6b9253cdf816bdab91df349d6e5621c81b890072df908123d7cc0872c7dbc3ed9457886a5

Download Submit
C:\Users\Admin\Desktop\ShowRevoke.css
Filesize
287KB

MD5
55cd1d2d385cf8f81483a7964ff008a1

SHA1
926d39dfa0868846fec190f6f9d22b7576641cbe

SHA256
daa275343055bd462cbdd3f54198bf88a277cfde821d914b51aabdc8a10059f4

SHA512
5ab9309b91268e1c22edc74dd44220d9e1cb311f71bf608283b2bb426d28101720a777ed2e6b08e0b6be19bd163f3121b60410ac118e96f68304afc6c515f52a

Download Submit
C:\Users\Admin\Desktop\StopGroup.mhtml
Filesize
387KB

MD5
bd9c5b28a76301c29f53c5e86526e4b4

SHA1
ce115e2591240bdb0c6255a73aef8b3f39aa0392

SHA256
e21c03109916c793098862de39eee9b48a339955608be63e8ff725d0c4a81ec1

SHA512
e89d6399fb407d0d3785deab4081e86aec77ad4117e5dd534d7260f4011790fc7e7b8399139eac104d3412c3ea2a9303b7fa9dd03319cde56911576691dc2b41

Download Submit
C:\Users\Admin\Desktop\SyncResolve.crw
Filesize
531KB

MD5
dd898bc414d3c357a7b875e625d0fe21

SHA1
0854f885a31efdcb5797fb0f9ec8878837db3df3

SHA256
eaa0d6b3a9739443809651f4a780d6b9122d5ec700dc6f87471465ad8e2265e9

SHA512
f146de6263cebb8d399373b5dd8c7af1ac52dbb5b4c412f5a9558e39d63553ec50494b5f958e8c3a9ef27cbf6ab1574259d17d50e31df5f25bd77813e3bf6b4e

Download Submit
C:\Users\Admin\Desktop\TestMerge.asp
Filesize
215KB

MD5
da4487e9879d45eeda46b65d8e5cd322

SHA1
81abd11581534122d0cd4358567f3d7b70e65a4d

SHA256
6d040244f4c9404ea4f9212acc0b65c1a9ebabc4a60eee9daa846e00c106ee04

SHA512
c69109a0d23ac4dcdc295727275b048862235bbfc16ec11de683cb12770e452a7fe90b551ceac50af41f16ca9fcc20f640bdeb38df611345ba642dbf2f432c1d

Download Submit
C:\Windows\SysWOW64\MSVCP50.dll
Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Windows\lhsp\tv\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Windows\msagent\AgentDP2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Windows\msagent\AgentPsh.dll
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Windows\msagent\AgentSR.dll
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
391KB

MD5
66996a076065ebdcdac85ff9637ceae0

SHA1
4a25632b66a9d30239a1a77c7e7ba81bb3aee9ce

SHA256
16ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa

SHA512
e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.exe
Filesize
997KB

MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
\Windows\lhsp\tv\tv_enua.dll
Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
\Windows\msagent\AgentCtl.dll
Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
\Windows\msagent\AgentDPv.dll
Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
\Windows\msagent\AgentDp2.dll
Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
\Windows\msagent\AgentMPx.dll
Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
\Windows\msagent\AgentPsh.dll
Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
\Windows\msagent\AgentSR.dll
Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
\Windows\msagent\AgentSvr.exe
Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
\Windows\msagent\mslwvtts.dll
Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
memory/316-133-0x0000000000000000-mapping.dmp

Download
memory/364-59-0x0000000000000000-mapping.dmp

Download
memory/560-96-0x0000000000000000-mapping.dmp

Download
memory/564-144-0x0000000000000000-mapping.dmp

Download
memory/820-120-0x0000000000000000-mapping.dmp

Download
memory/896-55-0x0000000000000000-mapping.dmp

Download
memory/960-108-0x0000000000000000-mapping.dmp

Download
memory/1000-162-0x0000000000620000-0x00000000006FA000-memory.dmp

Filesize
872KB

Download
memory/1000-164-0x0000000000620000-0x00000000006FA000-memory.dmp

Filesize
872KB

Download
memory/1120-112-0x0000000000000000-mapping.dmp

Download
memory/1172-126-0x0000000000000000-mapping.dmp

Download
memory/1180-116-0x0000000000000000-mapping.dmp

Download
memory/1280-149-0x0000000000000000-mapping.dmp

Download
memory/1320-151-0x0000000000000000-mapping.dmp

Download
memory/1484-136-0x0000000000000000-mapping.dmp

Download
memory/1600-104-0x0000000000000000-mapping.dmp

Download
memory/1628-154-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1628-155-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1644-168-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1652-57-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1700-58-0x0000000000000000-mapping.dmp

Download
memory/1884-86-0x0000000000000000-mapping.dmp

Download
memory/1916-87-0x0000000000000000-mapping.dmp

Download
memory/2040-100-0x0000000000000000-mapping.dmp

Download
memory/2136-161-0x0000000000000000-mapping.dmp

Download
memory/2464-159-0x0000000000000000-mapping.dmp

Download
memory/2596-169-0x0000000000000000-mapping.dmp

Download
memory/2708-165-0x0000000000000000-mapping.dmp

Download
memory/2736-163-0x0000000000000000-mapping.dmp

Download