679392445dca5cc2c6efebd287ccc3eb354eab142972fe829b7511bafd08a3ad

Analysis

max time kernel
1800s
max time network
1162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

139.5MB
MD5

8fa1144ef7c7e9ff74df8d18a08af392
SHA1

8c6bdf47395b29030fc520be3b2c07de6caf653f
SHA256

2ab58d0da204479a94cfa67361c688119e5ae20b967fd0d36ac93d7abe163191
SHA512

0e4152be8b8d0d223b1a6c7d94246f81206cbd1f7eba16c32b19d112c02e24713a87801e87a0245ab2d4b89ab66a657d39c18480f2e5273afd0d6db82f74cf22
SSDEEP

786432:X14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:X14kpHwQjCWv+K18CedmVvEQEpcJW

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.exe	Loader.exe

Loads dropped DLL 3 IoCs

pid	Process
2296	Loader.exe
2296	Loader.exe
2296	Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupqrYGyX = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\Loader.exe"	Conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ipinfo.io
18	ipinfo.io
20	ipinfo.io
21	ipinfo.io

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Loader.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4088	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3152	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
4952	tasklist.exe
2228	tasklist.exe
3532	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2296	Loader.exe
2296	Loader.exe
2296	Loader.exe
2296	Loader.exe
1764	Loader.exe
1764	Loader.exe
3464	Conhost.exe
3464	Conhost.exe
3464	Conhost.exe
396	reg.exe
396	reg.exe
396	reg.exe
1016	cmd.exe
1016	cmd.exe
1016	cmd.exe
4376	reg.exe
4376	reg.exe
4376	reg.exe
4084	powershell.exe
4084	powershell.exe
5116	Conhost.exe
5116	Conhost.exe
1948	cmd.exe
1948	cmd.exe
3472	powershell.exe
3472	powershell.exe
4084	powershell.exe
1948	cmd.exe
2380	cmd.exe
2380	cmd.exe
2380	cmd.exe
5116	Conhost.exe
3472	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
4816	Loader.exe
4816	Loader.exe
4816	Loader.exe
4816	Loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe
Token: SeDebugPrivilege	3532	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4048	WMIC.exe
Token: SeSecurityPrivilege	4048	WMIC.exe
Token: SeTakeOwnershipPrivilege	4048	WMIC.exe
Token: SeLoadDriverPrivilege	4048	WMIC.exe
Token: SeSystemProfilePrivilege	4048	WMIC.exe
Token: SeSystemtimePrivilege	4048	WMIC.exe
Token: SeProfSingleProcessPrivilege	4048	WMIC.exe
Token: SeIncBasePriorityPrivilege	4048	WMIC.exe
Token: SeCreatePagefilePrivilege	4048	WMIC.exe
Token: SeBackupPrivilege	4048	WMIC.exe
Token: SeRestorePrivilege	4048	WMIC.exe
Token: SeShutdownPrivilege	4048	WMIC.exe
Token: SeDebugPrivilege	4048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4048	WMIC.exe
Token: SeRemoteShutdownPrivilege	4048	WMIC.exe
Token: SeUndockPrivilege	4048	WMIC.exe
Token: SeManageVolumePrivilege	4048	WMIC.exe
Token: 33	4048	WMIC.exe
Token: 34	4048	WMIC.exe
Token: 35	4048	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3296	2296	Loader.exe	91
PID 2296 wrote to memory of 3296	2296	Loader.exe	91
PID 3296 wrote to memory of 2228	3296	cmd.exe	93
PID 3296 wrote to memory of 2228	3296	cmd.exe	93
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 4984	2296	Loader.exe	94
PID 2296 wrote to memory of 1764	2296	Loader.exe	95
PID 2296 wrote to memory of 1764	2296	Loader.exe	95
PID 2296 wrote to memory of 2172	2296	Loader.exe	97
PID 2296 wrote to memory of 2172	2296	Loader.exe	97
PID 2172 wrote to memory of 1524	2172	cmd.exe	99
PID 2172 wrote to memory of 1524	2172	cmd.exe	99
PID 2296 wrote to memory of 4080	2296	Loader.exe	100
PID 2296 wrote to memory of 4080	2296	Loader.exe	100
PID 2296 wrote to memory of 1924	2296	Loader.exe	101
PID 2296 wrote to memory of 1924	2296	Loader.exe	101
PID 2296 wrote to memory of 1480	2296	Loader.exe	102
PID 2296 wrote to memory of 1480	2296	Loader.exe	102
PID 2296 wrote to memory of 4420	2296	Loader.exe	103
PID 2296 wrote to memory of 4420	2296	Loader.exe	103
PID 2296 wrote to memory of 3232	2296	Loader.exe	106
PID 2296 wrote to memory of 3232	2296	Loader.exe	106
PID 4080 wrote to memory of 3532	4080	cmd.exe	110
PID 4080 wrote to memory of 3532	4080	cmd.exe	110
PID 4420 wrote to memory of 4048	4420	cmd.exe	111
PID 4420 wrote to memory of 4048	4420	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1736,14743370141791134359,5399950833615692042,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1736,14743370141791134359,5399950833615692042,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2296 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2296 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:1924
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:3444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:3232
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:1996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3520
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:2248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3152
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:384
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:396
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
    3⤵
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2296 get ExecutablePath"
  2⤵
  PID:5032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2296 get ExecutablePath
    3⤵
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqrYGyX /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe\" /F /rl highest"
  2⤵
  PID:3636
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqrYGyX /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe\" /F /rl highest
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqrYGyX /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe /f"
  2⤵
  PID:3272
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqrYGyX /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe /f
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe\"""
  2⤵
  PID:3232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe\""
    3⤵
    PID:1016
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe
      4⤵
      Views/modifies file attributes
      PID:1228
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
        5⤵
        
        PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Loader.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"
  2⤵
  PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:4688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:1200
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:1196
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:3692
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:4692
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
      4⤵
      PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:1464
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:404
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:4264
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:3356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:452
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:2628
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2380
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
      4⤵
      PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
  2⤵
  PID:1948
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    PID:2032
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
  2⤵
  PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\5odd3taaf86h.vbs"
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\W7CYNxrIeQLM_temp.ps1""
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1736,14743370141791134359,5399950833615692042,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupqrYGyX /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe\" /F /rl highest
1⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
1⤵
PID:4952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
1⤵
PID:2184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
1⤵
PID:4048

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
1⤵
PID:2476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
1⤵
PID:3472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
1⤵
PID:1536
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
  2⤵
  PID:2872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
1⤵
PID:4488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
1⤵
PID:2748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
1⤵
PID:5056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
1⤵
PID:2160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
1⤵
PID:1996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
1⤵
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Adds Run key to start application
PID:2568

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
1⤵
PID:532

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\5odd3taaf86h.vbs
1⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\W7CYNxrIeQLM_temp.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
1⤵
PID:2728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2952
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
  2⤵
  PID:632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
1⤵
PID:460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
1⤵
PID:1544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
1⤵
PID:460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2360

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
1⤵
PID:548

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
1⤵
PID:4432

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 23MTTR6n1EqC2QCTGhg7/A.0.2
1⤵
PID:1536

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
3d2fd83483fdcad6698e58ed0e644136

SHA1
ab7992ec106c77bf2737439b4625f23b0a8375cb

SHA256
eab3c2cd1667d2003bd786896ff935a108c04813251481ccaf43ad8b5a09ed7b

SHA512
ca2bd9281aee3240f6cb61d215d67f772b49304ba2433a8583f6c3345538b2e0c3dd4f785a1e803d2d50ed518092925a5fe5a25c802c12b2800fa279d37e9268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c2a26a05ae505fbff9a55a60fb799572

SHA1
c4d95c942bde11ee5ff563d521ef09a960ad5018

SHA256
12b045b5bfe391b1466e68e940d403d453607bbbf681af9545b7b1a7050f5c61

SHA512
1054a11a5357251a0177ac45efd4344c8204d35dd709fbcf6d91459d0c62e191b46f0006b75cdf60971391e5157051c7c8c056012df25e27bc69a1570ec1586e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c92e16464e3087e04e2301384bb34b2

SHA1
d23bb55a11e4736c73f652889e7e599b2c217163

SHA256
0f3b65f1d5b220f16d0cdf1bc68deda3e66c9eea2120cc185cda973ff6058f9a

SHA512
03f3a9f3bf2ba3db2a695c6ad60fb206fc8e539e9b7c221917eb4802e95370c17f167478d67b426c7d067e37c53030b318701c73956c30119b15f5b541b8e5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
918599108d982f7dc6b675827f60b6a3

SHA1
b8611926969257db40258df7b46917b0acfd3f6b

SHA256
3a2f43c9cb49e62391e9479c42acb7718c51245c39d15add7599c7423b619d9e

SHA512
d06c30f0243c1aa6245b71c2af3e3c84491c3ebd39cac54d6ce28d1c3cf42817ecaf89833f1a075233afffdda8d05f10d13271068112931b02ee1828745dab60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3315ff0b-c49d-4379-8e13-631528e4338e.tmp.node

Filesize
643KB

MD5
cc9ed377ba027cfa898986f63b76b051

SHA1
b8205ff032927abc7cd3e5d4e394709cc38fa450

SHA256
12bf581c70d7ce4cbeb3600a48cdfaed9fa5629ca2ee3fa91cc06543b2110cb9

SHA512
1bf4fa6585d77b577eabb97c6ca35ab81f613f81d6257cfcadfd33f346f4309aeba2fdde87988f9c73c340d414d44561f6fc7526a929633e69b4c7da008bb24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af2d98f-c286-455f-909d-ae7cd6cc09d3.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7CYNxrIeQLM_temp.ps1

Filesize
727B

MD5
4489634a20c12ae1c08e334afdca9ad3

SHA1
f62e96c3caf4bcadc5c40f38a06325015044cb48

SHA256
a00f10018cba791cc5a13c953f4a3bb2a497ae45150d5002ccb412ae2785d372

SHA512
39ac3b8959dbf8a4c5acb693cec7d42bd2710bfc13f4c7117052ce8f8b0719c58fea9764feedcce2ad0414b19d565622faee56f16b29998620533ffa2dd3ffda

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvkkpxma.b0i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff0f1d1c-f187-483c-9464-59f7e01ad891.tmp.node

Filesize
663KB

MD5
3aa0737411524cd5ae047ea0b8203930

SHA1
da3759832aa59a625c99c8546bf4e40dc8ce7c71

SHA256
1e46668d4196996c83a87173d30893720fd7046086b7b24ecd6ba3f3ecfcead3

SHA512
997f50e00164c5f8b3f7ba08911a8b58383260f16c95bde20f29f3bee8140e674adf93ca5bcd33dc9e23cd9ba7793e8206846692ac37ca63470ad7e4e19974f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrG2kxAr9k3i87qfLXYv\System\JQGVKGNK - 2024-01-23_025453.png

Filesize
304KB

MD5
8b4998e73a86387831df81b465ffe16e

SHA1
311e42fbe2fe3fa9c0a9e73de1a1e1afd44956c1

SHA256
654d32be3ecf9784dc560921d85eb548267f275ac7fbfce844dca80e2cfcd666

SHA512
bbcc66da84de43d7b429ae9f12f7eaf7c9b8777d4c45523acdeaee8708488077b3279838dc1c2d0beacbf55ee609be78fb030c0db9f9e247c728e7158f95c5d4

Download Submit
C:\Users\Admin\AppData\Roaming\5odd3taaf86h.vbs

Filesize
121B

MD5
0994ab1321f352cf6d5fc34b092c7186

SHA1
f58451b4bbd3fba16b0ef408f36c7cc98732b58b

SHA256
c9858287db46bac94f3c94f63a35484896bca90fb6eaca14f9e70fd75a11a653

SHA512
7d9e3ccb05c0b86ae24f5e633fd564f2347ab3b309ddc0a38f8808fa022595d6c8a049f01d21921fd0851b610e6f54987dd9d41f3018c41ed347da31b69c916d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
80a2b4ff7648f269c4d908dd7cf853ac

SHA1
2bcbd82ceee2b940b73944c2a31589b3a18ad315

SHA256
a5df524cd18138af3fc13af0b4e60d38b4edd760cd5cf94ef6eca3f2c3b8bf81

SHA512
6f0219875de4ccf0a586710dd1fd93cc42cd3ee0cd7a646b12c29f5cf43f189e287de8c54cb98034fafe61d312f9ce92ae7de74c58e8c610b641c66be5a84325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
254527bf4da1e94076b01defde720eef

SHA1
7d597e4fe733382ad09ea2d660cc4b13f9b9998b

SHA256
61aa2fd093f17405c9a0398079e6ac085d39b53abf009be3a650356d00079a2e

SHA512
b71117b0edf8e5e1fed4f49a4cf23e4608ebf95fd62d94a8aa795637e75ab8f9bb40611539c591af1b96411f8c1ebec26e820c01b336f2cb71e01781c4fc4e10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ba9bc53028675c595f9e42de34c1b8ab

SHA1
450bd1575b88f21168ee81e9ef043217a11cc07c

SHA256
b173abf8a616ba1c1ad7b552bafd619fbf347a2f67533a9e337e48f611310eae

SHA512
1da4400a1050ee5fb4abd07ceb143561dba42928ddece0ecddc328e7aaebb32469ff7080febced6669ed21c074f07dfaf676e3190381f7706bcaaedb61ac4652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Loader.exe

Filesize
1.7MB

MD5
d5613e76eeab994158fef8e481d1e19d

SHA1
09e33799560a8ddd41faa87d37350b248fa885ed

SHA256
d3cf682442b22badff30df16a96ff6396a40f1844d0755b79fe7f55fa41fdefb

SHA512
452ffbd497a8765d8d9fca5b1384862d196dfb60f7b8df0f9b9f97a4c82dc86429d47f9d072a7feca1e558269f0eda25c7aa3f219695d73a6df91b499cccaccd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qmjs2eet.default-release\places.sqlite_tmp

Filesize
1.1MB

MD5
8028e04ebe38a19fea7978b2b3cadf85

SHA1
4b1c638ecdb427a7072a51cacc839a99b0d3ae7c

SHA256
dd492bd9b5d0e0d4e0edd5701eb3a2f5969e7340c6714fe0b09a74c3289aa128

SHA512
01363668a94436144be38edecac7a8348ea6d7d4ff1ef69b7edd5d6cc34b67a642dc66822a93a1d09f6bea370c21437bb8ea30df3b00a1a64837bbc7d4555296

Download Submit
memory/396-53-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/396-58-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/396-54-0x0000026AFF770000-0x0000026AFF780000-memory.dmp

Filesize
64KB

Download
memory/396-55-0x0000026AFF770000-0x0000026AFF780000-memory.dmp

Filesize
64KB

Download
memory/404-269-0x000001CD25790000-0x000001CD257A0000-memory.dmp

Filesize
64KB

Download
memory/404-270-0x000001CD25790000-0x000001CD257A0000-memory.dmp

Filesize
64KB

Download
memory/404-299-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/404-268-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-76-0x000001BD4EF30000-0x000001BD4EF40000-memory.dmp

Filesize
64KB

Download
memory/1016-75-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-80-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-77-0x000001BD4EF30000-0x000001BD4EF40000-memory.dmp

Filesize
64KB

Download
memory/1948-192-0x000001DD72DC0000-0x000001DD72DD0000-memory.dmp

Filesize
64KB

Download
memory/1948-191-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-310-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-291-0x0000017EE55D0000-0x0000017EE55E0000-memory.dmp

Filesize
64KB

Download
memory/1984-311-0x0000017EE55D0000-0x0000017EE55E0000-memory.dmp

Filesize
64KB

Download
memory/1984-314-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-290-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-298-0x0000017EE55D0000-0x0000017EE55E0000-memory.dmp

Filesize
64KB

Download
memory/2380-271-0x000002653A150000-0x000002653A160000-memory.dmp

Filesize
64KB

Download
memory/2380-263-0x000002653A150000-0x000002653A160000-memory.dmp

Filesize
64KB

Download
memory/2380-262-0x000002653A150000-0x000002653A160000-memory.dmp

Filesize
64KB

Download
memory/2380-288-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/2380-261-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-29-0x0000019AEA9F0000-0x0000019AEAA12000-memory.dmp

Filesize
136KB

Download
memory/3464-35-0x0000019AEAA30000-0x0000019AEAA40000-memory.dmp

Filesize
64KB

Download
memory/3464-36-0x0000019AEAA30000-0x0000019AEAA40000-memory.dmp

Filesize
64KB

Download
memory/3464-34-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3464-40-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-309-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-231-0x000002873BAB0000-0x000002873BAC0000-memory.dmp

Filesize
64KB

Download
memory/3472-230-0x000002873BAB0000-0x000002873BAC0000-memory.dmp

Filesize
64KB

Download
memory/3472-220-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-272-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-151-0x000002AAAB6D0000-0x000002AAAB6E0000-memory.dmp

Filesize
64KB

Download
memory/4084-149-0x000002AAAB6D0000-0x000002AAAB6E0000-memory.dmp

Filesize
64KB

Download
memory/4084-148-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-103-0x000001BF74FA0000-0x000001BF74FB0000-memory.dmp

Filesize
64KB

Download
memory/4376-96-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-101-0x000001BF74FA0000-0x000001BF74FB0000-memory.dmp

Filesize
64KB

Download
memory/4376-108-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-389-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-395-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-421-0x000001A419380000-0x000001A419381000-memory.dmp

Filesize
4KB

Download
memory/4696-420-0x000001A419270000-0x000001A419271000-memory.dmp

Filesize
4KB

Download
memory/4696-419-0x000001A419270000-0x000001A419271000-memory.dmp

Filesize
4KB

Download
memory/4696-417-0x000001A419260000-0x000001A419261000-memory.dmp

Filesize
4KB

Download
memory/4696-405-0x000001A419060000-0x000001A419061000-memory.dmp

Filesize
4KB

Download
memory/4696-402-0x000001A419120000-0x000001A419121000-memory.dmp

Filesize
4KB

Download
memory/4696-399-0x000001A419130000-0x000001A419131000-memory.dmp

Filesize
4KB

Download
memory/4696-397-0x000001A419120000-0x000001A419121000-memory.dmp

Filesize
4KB

Download
memory/4696-396-0x000001A419130000-0x000001A419131000-memory.dmp

Filesize
4KB

Download
memory/4696-394-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-393-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-392-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-369-0x000001A410F40000-0x000001A410F50000-memory.dmp

Filesize
64KB

Download
memory/4696-385-0x000001A4194E0000-0x000001A4194E1000-memory.dmp

Filesize
4KB

Download
memory/4696-386-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-387-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-388-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-391-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4696-390-0x000001A419510000-0x000001A419511000-memory.dmp

Filesize
4KB

Download
memory/4816-345-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-346-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-350-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-347-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-338-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-348-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-349-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-344-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-339-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4816-340-0x000001AD14B50000-0x000001AD14B51000-memory.dmp

Filesize
4KB

Download
memory/4984-14-0x00007FFD00B60000-0x00007FFD00B61000-memory.dmp

Filesize
4KB

Download
memory/5116-199-0x000002ACEB160000-0x000002ACEB170000-memory.dmp

Filesize
64KB

Download
memory/5116-286-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-217-0x00007FFCE04F0000-0x00007FFCE0FB1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-200-0x000002ACEB160000-0x000002ACEB170000-memory.dmp

Filesize
64KB

Download