Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    158s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 05:17 UTC

General

  • Target

    29aee1ebc452c57d9bfaee973ae89873.exe

  • Size

    27KB

  • MD5

    29aee1ebc452c57d9bfaee973ae89873

  • SHA1

    194151b20390a3a62032edc9de03f018817c060e

  • SHA256

    69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c

  • SHA512

    89a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d

  • SSDEEP

    768:1GRc7leirgHx1GpQXypO0fsovdeMYxax:6icHrktTfsqsxA

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 8 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe
    "C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\Systom.exe
      C:\Windows\system32\Systom.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\Systom.exe /F
        3⤵
        • Modifies registry key
        PID:4616
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
        3⤵
          PID:952
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_dword /d 00000001 /f
          3⤵
            PID:4848
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 0 /f
            3⤵
            • Modifies registry key
            PID:1652
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v Text /t REG_SZ /d ÏÔʾËùÓÐÎļþºÍÎļþ¼Ð /f
            3⤵
            • Modifies registry key
            PID:2900
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /f
            3⤵
            • Modifies registry key
            PID:3600
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
            3⤵
            • Modifies registry key
            PID:4940
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_dword /d 00000002 /f
            3⤵
            • Modifies registry key
            PID:3464
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
            3⤵
            • Modifies registry key
            PID:2088
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
            3⤵
            • Modifies registry key
            PID:4064
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
            3⤵
            • Modifies registry key
            PID:3472
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
            3⤵
              PID:2220
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
              3⤵
                PID:2420
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                3⤵
                • Sets file execution options in registry
                PID:1992
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                3⤵
                  PID:3596
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                  3⤵
                    PID:1608
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                    3⤵
                      PID:4360
                    • C:\Windows\SysWOW64\reg.exe
                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                      3⤵
                        PID:4392
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRuns.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                        3⤵
                          PID:3128
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                          3⤵
                            PID:1756
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                            3⤵
                              PID:2364
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                              3⤵
                              • Sets file execution options in registry
                              PID:5072
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                              3⤵
                                PID:752
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                3⤵
                                • Sets file execution options in registry
                                PID:3108
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                3⤵
                                • Sets file execution options in registry
                                PID:3616
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                3⤵
                                • Sets file execution options in registry
                                PID:2268
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                3⤵
                                  PID:1612
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                  3⤵
                                    PID:1888
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                    3⤵
                                      PID:1832
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                      3⤵
                                        PID:2384
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                        3⤵
                                        • Sets file execution options in registry
                                        PID:4364
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                        3⤵
                                          PID:4648
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                          3⤵
                                            PID:4488
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                            3⤵
                                              PID:952
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                              3⤵
                                              • Sets file execution options in registry
                                              PID:1636
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                              3⤵
                                              • Sets file execution options in registry
                                              PID:4540
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                              3⤵
                                              • Sets file execution options in registry
                                              PID:4252
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                              3⤵
                                                PID:3192
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                3⤵
                                                  PID:1964
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                  3⤵
                                                    PID:2776
                                                    • C:\Windows\System32\Conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      4⤵
                                                        PID:4940
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                      3⤵
                                                        PID:4440
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                        3⤵
                                                          PID:4844
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                          3⤵
                                                          • Sets file execution options in registry
                                                          PID:4192
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                          3⤵
                                                            PID:672
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                            3⤵
                                                              PID:3936
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                              3⤵
                                                              • Sets file execution options in registry
                                                              PID:3964
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                              3⤵
                                                                PID:1140
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                3⤵
                                                                  PID:4528
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                  3⤵
                                                                    PID:3092
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                    3⤵
                                                                    • Sets file execution options in registry
                                                                    PID:4360
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                    3⤵
                                                                      PID:2980
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                      3⤵
                                                                        PID:2068
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                        3⤵
                                                                        • Sets file execution options in registry
                                                                        PID:2460
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                        3⤵
                                                                          PID:3676
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                          3⤵
                                                                          • Sets file execution options in registry
                                                                          PID:732
                                                                          • C:\Windows\System32\Conhost.exe
                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            4⤵
                                                                              PID:3472
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                            3⤵
                                                                            • Sets file execution options in registry
                                                                            PID:4772
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                            3⤵
                                                                              PID:2564
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                              3⤵
                                                                                PID:4412
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                3⤵
                                                                                  PID:3200
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                  3⤵
                                                                                    PID:3696
                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      4⤵
                                                                                        PID:1832
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                      3⤵
                                                                                      • Sets file execution options in registry
                                                                                      PID:1932
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                      3⤵
                                                                                      • Sets file execution options in registry
                                                                                      PID:2840
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                      3⤵
                                                                                        PID:2292
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                        3⤵
                                                                                          PID:4600
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                          3⤵
                                                                                            PID:644
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                            3⤵
                                                                                              PID:5100
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                              3⤵
                                                                                                PID:2944
                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  4⤵
                                                                                                  • Sets file execution options in registry
                                                                                                  PID:644
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                3⤵
                                                                                                  PID:4488
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                  3⤵
                                                                                                    PID:1860
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                    3⤵
                                                                                                    • Sets file execution options in registry
                                                                                                    PID:3504
                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      4⤵
                                                                                                      • Sets file execution options in registry
                                                                                                      PID:2776
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                    3⤵
                                                                                                      PID:4280
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                      3⤵
                                                                                                        PID:2868
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                        3⤵
                                                                                                          PID:4440
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                          3⤵
                                                                                                            PID:588
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                            3⤵
                                                                                                              PID:4720
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                              3⤵
                                                                                                              • Sets file execution options in registry
                                                                                                              PID:1888
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                              3⤵
                                                                                                                PID:4928
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                3⤵
                                                                                                                • Sets file execution options in registry
                                                                                                                PID:4932
                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  4⤵
                                                                                                                  • Sets file execution options in registry
                                                                                                                  PID:3092
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                3⤵
                                                                                                                • Sets file execution options in registry
                                                                                                                PID:1240
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                3⤵
                                                                                                                • Sets file execution options in registry
                                                                                                                PID:4528
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                3⤵
                                                                                                                  PID:1976
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    4⤵
                                                                                                                    • Sets file execution options in registry
                                                                                                                    PID:1608
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                  3⤵
                                                                                                                    PID:2828
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                    3⤵
                                                                                                                    • Sets file execution options in registry
                                                                                                                    PID:112
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                    3⤵
                                                                                                                    • Sets file execution options in registry
                                                                                                                    PID:4672
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                    3⤵
                                                                                                                      PID:1912
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                      3⤵
                                                                                                                      • Sets file execution options in registry
                                                                                                                      PID:752
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                      3⤵
                                                                                                                        PID:3844
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                        3⤵
                                                                                                                        • Sets file execution options in registry
                                                                                                                        PID:3676
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          4⤵
                                                                                                                            PID:1612
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                          3⤵
                                                                                                                            PID:2872
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                            3⤵
                                                                                                                              PID:4628
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                              3⤵
                                                                                                                                PID:2504
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                3⤵
                                                                                                                                • Sets file execution options in registry
                                                                                                                                PID:4312
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                3⤵
                                                                                                                                • Sets file execution options in registry
                                                                                                                                PID:4412
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                3⤵
                                                                                                                                • Sets file execution options in registry
                                                                                                                                PID:4632
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                3⤵
                                                                                                                                • Sets file execution options in registry
                                                                                                                                PID:1232
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                3⤵
                                                                                                                                  PID:2936
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                  3⤵
                                                                                                                                  • Sets file execution options in registry
                                                                                                                                  PID:3468
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                  3⤵
                                                                                                                                    PID:2756
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                    3⤵
                                                                                                                                    • Sets file execution options in registry
                                                                                                                                    PID:3596
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                    3⤵
                                                                                                                                      PID:1012
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                      3⤵
                                                                                                                                      • Sets file execution options in registry
                                                                                                                                      PID:212
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                      3⤵
                                                                                                                                        PID:844
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:2384
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:2912
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:2632
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:4488
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:3048
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:2944
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                        • Sets file execution options in registry
                                                                                                                                        PID:3984
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                        3⤵
                                                                                                                                          PID:740
                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            4⤵
                                                                                                                                              PID:1756
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                            3⤵
                                                                                                                                            • Sets file execution options in registry
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            PID:4616
                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              4⤵
                                                                                                                                                PID:4392
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                              3⤵
                                                                                                                                                PID:4832
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                                3⤵
                                                                                                                                                • Sets file execution options in registry
                                                                                                                                                PID:1140
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
                                                                                                                                                3⤵
                                                                                                                                                • Sets file execution options in registry
                                                                                                                                                PID:1912
                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1390578.cn/tj.asp
                                                                                                                                                3⤵
                                                                                                                                                • Sets file execution options in registry
                                                                                                                                                • Checks processor information in registry
                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                PID:3936
                                                                                                                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17410 /prefetch:2
                                                                                                                                                  4⤵
                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:3164
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat
                                                                                                                                              2⤵
                                                                                                                                                PID:2756
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat""
                                                                                                                                                2⤵
                                                                                                                                                  PID:3340
                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                1⤵
                                                                                                                                                • Sets file execution options in registry
                                                                                                                                                PID:1964
                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                1⤵
                                                                                                                                                • Sets file execution options in registry
                                                                                                                                                PID:672

                                                                                                                                              Network

                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                95.221.229.192.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                95.221.229.192.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                95.221.229.192.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                95.221.229.192.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                241.154.82.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                241.154.82.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                a96-17-178-172deploystaticakamaitechnologiescom
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                2.136.104.51.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                2.136.104.51.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                195.233.44.23.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                195.233.44.23.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                                195.233.44.23.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                a23-44-233-195deploystaticakamaitechnologiescom
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                157.123.68.40.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                157.123.68.40.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                198.187.3.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                198.187.3.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                www.1390578.cn
                                                                                                                                                IEXPLORE.EXE
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                www.1390578.cn
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                www.1390578.cn
                                                                                                                                                IEXPLORE.EXE
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                www.1390578.cn
                                                                                                                                                IN A
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                www.1390578.cn
                                                                                                                                                IEXPLORE.EXE
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                www.1390578.cn
                                                                                                                                                IN A
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                1.181.190.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                1.181.190.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                173.178.17.96.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                173.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                                173.178.17.96.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                a96-17-178-173deploystaticakamaitechnologiescom
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                18.31.95.13.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                18.31.95.13.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                2.36.159.162.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                2.36.159.162.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • flag-us
                                                                                                                                                DNS
                                                                                                                                                208.194.73.20.in-addr.arpa
                                                                                                                                                Remote address:
                                                                                                                                                8.8.8.8:53
                                                                                                                                                Request
                                                                                                                                                208.194.73.20.in-addr.arpa
                                                                                                                                                IN PTR
                                                                                                                                                Response
                                                                                                                                              • 138.91.171.81:80
                                                                                                                                                104 B
                                                                                                                                                2
                                                                                                                                              • 204.79.197.200:443
                                                                                                                                                ieonline.microsoft.com
                                                                                                                                                tls, http2
                                                                                                                                                iexplore.exe
                                                                                                                                                1.9kB
                                                                                                                                                11.1kB
                                                                                                                                                20
                                                                                                                                                16
                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                19.177.190.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                216 B
                                                                                                                                                158 B
                                                                                                                                                3
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                19.177.190.20.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                19.177.190.20.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                19.177.190.20.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                95.221.229.192.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                146 B
                                                                                                                                                144 B
                                                                                                                                                2
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                95.221.229.192.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                95.221.229.192.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                241.154.82.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                72 B
                                                                                                                                                158 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                241.154.82.20.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                172.178.17.96.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                216 B
                                                                                                                                                137 B
                                                                                                                                                3
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                172.178.17.96.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                172.178.17.96.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                172.178.17.96.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                26.35.223.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                213 B
                                                                                                                                                157 B
                                                                                                                                                3
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                26.35.223.20.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                26.35.223.20.in-addr.arpa

                                                                                                                                                DNS Request

                                                                                                                                                26.35.223.20.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                2.136.104.51.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                71 B
                                                                                                                                                157 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                2.136.104.51.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                195.233.44.23.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                72 B
                                                                                                                                                137 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                195.233.44.23.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                157.123.68.40.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                72 B
                                                                                                                                                146 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                157.123.68.40.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                198.187.3.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                71 B
                                                                                                                                                157 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                198.187.3.20.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                www.1390578.cn
                                                                                                                                                dns
                                                                                                                                                IEXPLORE.EXE
                                                                                                                                                60 B
                                                                                                                                                113 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                www.1390578.cn

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                www.1390578.cn
                                                                                                                                                dns
                                                                                                                                                IEXPLORE.EXE
                                                                                                                                                120 B
                                                                                                                                                60 B
                                                                                                                                                2
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                www.1390578.cn

                                                                                                                                                DNS Request

                                                                                                                                                www.1390578.cn

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                1.181.190.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                71 B
                                                                                                                                                157 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                1.181.190.20.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                173.178.17.96.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                72 B
                                                                                                                                                137 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                173.178.17.96.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                18.31.95.13.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                70 B
                                                                                                                                                144 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                18.31.95.13.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                2.36.159.162.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                71 B
                                                                                                                                                133 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                2.36.159.162.in-addr.arpa

                                                                                                                                              • 8.8.8.8:53
                                                                                                                                                208.194.73.20.in-addr.arpa
                                                                                                                                                dns
                                                                                                                                                72 B
                                                                                                                                                158 B
                                                                                                                                                1
                                                                                                                                                1

                                                                                                                                                DNS Request

                                                                                                                                                208.194.73.20.in-addr.arpa

                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                              Replay Monitor

                                                                                                                                              Loading Replay Monitor...

                                                                                                                                              Downloads

                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\suggestions[1].en-US

                                                                                                                                                Filesize

                                                                                                                                                17KB

                                                                                                                                                MD5

                                                                                                                                                5a34cb996293fde2cb7a4ac89587393a

                                                                                                                                                SHA1

                                                                                                                                                3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                                                SHA256

                                                                                                                                                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                                                SHA512

                                                                                                                                                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat

                                                                                                                                                Filesize

                                                                                                                                                184B

                                                                                                                                                MD5

                                                                                                                                                71d35bc5913c09e9eb6a11d9f29e65d8

                                                                                                                                                SHA1

                                                                                                                                                7055487dafa72344122e6fa156b214c919a111cd

                                                                                                                                                SHA256

                                                                                                                                                099774f0f772cb4f0b476acd7683dbe1d39fa91f1c65a98604bc88ad1f576eb9

                                                                                                                                                SHA512

                                                                                                                                                2e12fc58e7b867a00f1cf11c391a3ea49ad49a927e043e344f6e5087f07bd3ffc6aa2de447bc47858ef9af90b5943341e8846f423ab5b21937829c8c52304bf8

                                                                                                                                              • C:\Windows\SysWOW64\Systom.exe

                                                                                                                                                Filesize

                                                                                                                                                27KB

                                                                                                                                                MD5

                                                                                                                                                29aee1ebc452c57d9bfaee973ae89873

                                                                                                                                                SHA1

                                                                                                                                                194151b20390a3a62032edc9de03f018817c060e

                                                                                                                                                SHA256

                                                                                                                                                69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c

                                                                                                                                                SHA512

                                                                                                                                                89a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d

                                                                                                                                              • C:\auToRun.inf

                                                                                                                                                Filesize

                                                                                                                                                156B

                                                                                                                                                MD5

                                                                                                                                                a1d4181824dc5e8ecec8369fa67864e4

                                                                                                                                                SHA1

                                                                                                                                                e1ec2b149df84a6b73d6e51fb696c79cac9fc4e6

                                                                                                                                                SHA256

                                                                                                                                                f6d56418c59ba518590b873917ec7fda9b7555b75161fc017e04d889dcfff9a5

                                                                                                                                                SHA512

                                                                                                                                                e36a3c5341fed3714d3dcd1c48faf24dc4207809d246b21f9988c655acf63cb6dc5a0d6888be8303af90905087d798c264f936cbcd39019897ccc26c9ee4c07f

                                                                                                                                              • memory/1268-37-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-44-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-13-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-14-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-67-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-34-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-65-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-38-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-43-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-64-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-47-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-48-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-49-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/1268-63-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/4596-1-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/4596-11-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/4596-0-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              • memory/4596-6-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                100KB

                                                                                                                                              We care about your privacy.

                                                                                                                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.