General Info

File name

streamer.exe.zip

Full analysis
https://app.any.run/tasks/259c252c-9219-4873-ad34-947845238592
Verdict
Malicious activity
Analysis date
12/2/2019, 20:47:15
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

9128df388886d65336cbf242ded529ae

SHA1

b6d51fc987c8baf30f972809d4359305bef0389a

SHA256

2c06a3f5ff262b96d7cc4132c9d1743fbcff146135404b23b2c43a6aef62c36b

SSDEEP

12288:RZ16PCVK55cc2y+OJ4A/U23RhdtXFwcY2+1tFvOh52yin0tXc:r16PCIUgbUYREc3+vEmyin0tM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • streamer.exe (PID: 1516)
  • streamer.exe (PID: 2640)
  • streamer.exe (PID: 1816)
  • streamer.exe (PID: 3480)
  • streamer.exe (PID: 3544)
  • streamer.exe (PID: 3504)
  • streamer.exe (PID: 3292)
  • streamer.exe (PID: 3896)
  • streamer.exe (PID: 2336)
  • streamer.exe (PID: 3400)
  • streamer.exe (PID: 2488)
Loads the Task Scheduler COM API
  • rundll32.exe (PID: 3800)
  • rundll32.exe (PID: 1096)
  • rundll32.exe (PID: 2152)
  • rundll32.exe (PID: 584)
  • rundll32.exe (PID: 928)
  • rundll32.exe (PID: 2388)
Starts Visual C# compiler
  • sdiagnhost.exe (PID: 516)
Executed via Task Scheduler
  • streamer.exe (PID: 3544)
  • streamer.exe (PID: 3480)
  • streamer.exe (PID: 3504)
  • streamer.exe (PID: 3292)
  • streamer.exe (PID: 2640)
  • streamer.exe (PID: 1816)
  • streamer.exe (PID: 1516)
  • streamer.exe (PID: 3400)
  • streamer.exe (PID: 3896)
  • streamer.exe (PID: 2336)
  • streamer.exe (PID: 2488)
Uses RUNDLL32.EXE to load library
  • msdt.exe (PID: 2764)
Creates files in the user directory
  • notepad++.exe (PID: 1928)
Executable content was dropped or overwritten
  • msdt.exe (PID: 2764)
Executed via COM
  • sdiagnhost.exe (PID: 516)
Manual execution by user
  • notepad++.exe (PID: 1928)
  • pcwrun.exe (PID: 3852)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:12:02 19:39:20
ZipCRC:
0xf3d9b3c1
ZipCompressedSize:
439274
ZipUncompressedSize:
862216
ZipFileName:
streamer.exe

Screenshots

Processes

Total processes
75
Monitored processes
29
Malicious processes
3
Suspicious processes
11

Behavior graph

+
start winrar.exe no specs notepad++.exe gup.exe pcwrun.exe no specs msdt.exe sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs streamer.exe no specs streamer.exe rundll32.exe no specs streamer.exe no specs streamer.exe rundll32.exe no specs streamer.exe no specs streamer.exe rundll32.exe no specs streamer.exe rundll32.exe no specs streamer.exe no specs streamer.exe rundll32.exe no specs streamer.exe no specs streamer.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2128
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\streamer.exe.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
1928
CMD
"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Program Files\Notepad++\notepad++.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
Notepad++ : a free (GNU) source code editor
Version
7.51
Modules
Image
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\notepad++\scilexer.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\windowscodecs.dll
c:\program files\notepad++\plugins\mimetools.dll
c:\program files\notepad++\plugins\nppconverter.dll
c:\program files\notepad++\plugins\nppexport.dll

PID
3940
CMD
"C:\Program Files\Notepad++\updater\gup.exe" -v7.51
Path
C:\Program Files\Notepad++\updater\gup.exe
Indicators
Parent process
notepad++.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
GUP : a free (LGPL) Generic Updater
Version
4.1
Modules
Image
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll

PID
3852
CMD
C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\system32\pcwrun.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Program Compatibility Troubleshooter Invoker
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\pcwrun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\apphelp.dll

PID
2764
CMD
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCW8DF.xml /skip TRUE
Path
C:\Windows\System32\msdt.exe
Indicators
Parent process
pcwrun.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Diagnostics Troubleshooting Wizard
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msdt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\atl.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\duser.dll
c:\windows\system32\wer.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dui70.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\sdiageng.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rundll32.exe

PID
516
CMD
C:\Windows\System32\sdiagnhost.exe -Embedding
Path
C:\Windows\System32\sdiagnhost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Scripted Diagnostics Native Host
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sdiagnhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.windows.d#\1c755e2849bee87c5f0f4758d2d51ae6\microsoft.windows.diagnosis.sdhost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.windows.d#\8ac2425807a71c8133cfe1d40ba9ba67\microsoft.windows.diagnosis.commands.updatediagrootcause.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.windows.d#\9582f4042bd63965d8282ea15f63c934\microsoft.windows.diagnosis.commands.getdiaginput.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.windows.d#\a3c1bc5bfd402b4232df98aa5e5df103\microsoft.windows.diagnosis.commands.updatediagreport.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.windows.d#\b83e03dd807fb456c0bcceb3704c9702\microsoft.windows.diagnosis.commands.writediagprogress.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.jscript\b3fde69f9642ab464bd3389f1fe3c5bd\microsoft.jscript.ni.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll

PID
2956
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\uxejne2w.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Indicators
Parent process
sdiagnhost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\cscomp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\alink.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorpe.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
1812
CMD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1014.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1013.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
2176
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\w2fvyhxu.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Indicators
Parent process
sdiagnhost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\cscomp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\alink.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorpe.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
3948
CMD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES115C.tmp" "c:\Users\admin\AppData\Local\Temp\CSC115B.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
2064
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hc2vrsiw.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Indicators
Parent process
sdiagnhost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\cscomp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\alink.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorpe.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
3972
CMD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES12D3.tmp" "c:\Users\admin\AppData\Local\Temp\CSC12D2.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
2388
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
2488
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll

PID
2336
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortserver2003compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
928
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
3896
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll

PID
1516
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortserver2003compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3800
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
3400
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll

PID
3292
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortserver2003compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
584
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
3504
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortwindows6compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2152
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
1816
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll

PID
3480
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortserver2003compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
1096
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\streamer.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
msdt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pcwutl.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
2640
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll

PID
3544
CMD
C:\Users\admin\Desktop\streamer.exe
Path
C:\Users\admin\Desktop\streamer.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Carifred
Description
Ultra Virus Killer AutoIt script parser
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\streamer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\apppatch\acxtrnal.dll
c:\windows\system32\shunimpl.dll
c:\windows\system32\sortserver2003compat.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
662
Read events
594
Write events
68
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\p2pcollab.dll,-8042
Peer to Peer Trust
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\qagentrt.dll,-10
System Health Authentication
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\dnsapi.dll,-103
Domain Name System (DNS) Server Trust
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-843
BitLocker Drive Encryption
1928
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-844
BitLocker Data Recovery Agent
1928
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1928
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2764
msdt.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
2764
msdt.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2764
msdt.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Users\admin\Desktop\streamer.exe
# WINXPSP2
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Users\admin\Desktop\streamer.exe
# VISTARTM
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Users\admin\Desktop\streamer.exe
# WINXPSP2 RUNASADMIN
516
sdiagnhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Users\admin\Desktop\streamer.exe
# WIN2000
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2128
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\streamer.exe.zip
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2128
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100

Files activity

Executable files
2
Suspicious files
1
Text files
24
Unknown types
1

Dropped files

PID
Process
Filename
Type
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\en-US\DiagPackage.dll.mui
executable
MD5: c31bd28ab34e75bc65a5458ac8d37539
SHA256: 5fb9e280013d58043c5689478f9dcfad3212f4681534627eb33998ddd6f63308
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\DiagPackage.dll
executable
MD5: 4b9f845d6ff4bced0ea8d7b0ea4ae7e7
SHA256: 21369005c8400b68d8cab1a9a6c4d5809f5a685a8e18d311272467bb25d3d3c8
2176
csc.exe
C:\Users\admin\AppData\Local\Temp\w2fvyhxu.pdb
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\latest.cab
compressed
MD5: 2404b0934bd26516c506f3e7d1af03c9
SHA256: 2f6b7191a0c6ada581654944f355c950c930e0fa8bcc82c2cd14e89e5a8e1f83
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\PLA6E52.tmp
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\PLA1114.tmp
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\PLA33A6.tmp
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\PLA50A9.tmp
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\PLAD3C.tmp
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\results.xsl
xml
MD5: 310e1da2344ba6ca96666fb639840ea9
SHA256: 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\ResultReport.xml
xml
MD5: 83c2bbc929f501f97301f90ced9b2cea
SHA256: f37800f81b2d6b97e1493f792b66adf77e785489f87ffa8cff7c63c88b690c50
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\DebugReport.xml
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\result\ResultReport.xml
––
MD5:  ––
SHA256:  ––
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\result\DebugReport.xml
––
MD5:  ––
SHA256:  ––
2064
csc.exe
C:\Users\admin\AppData\Local\Temp\hc2vrsiw.out
––
MD5:  ––
SHA256:  ––
2064
csc.exe
C:\Users\admin\AppData\Local\Temp\hc2vrsiw.dll
––
MD5:  ––
SHA256:  ––
3972
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES12D3.tmp
––
MD5:  ––
SHA256:  ––
2064
csc.exe
C:\Users\admin\AppData\Local\Temp\hc2vrsiw.pdb
pdb
MD5: b90902083cfef04020a413fe55f69924
SHA256: 720fe318da8781cdc96fc1d9002404787fa88ecbf39448b6a6970b34adb2dfb8
2064
csc.exe
C:\Users\admin\AppData\Local\Temp\CSC12D2.tmp
––
MD5:  ––
SHA256:  ––
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\hc2vrsiw.cmdline
text
MD5: 661a3b0b6590fa2d6f5b4977677177c3
SHA256: 416aea8d86fc89acac1a9045df31887172087e5409a441dcee6f75285eb738dd
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\hc2vrsiw.0.cs
––
MD5:  ––
SHA256:  ––
2176
csc.exe
C:\Users\admin\AppData\Local\Temp\w2fvyhxu.out
––
MD5:  ––
SHA256:  ––
2176
csc.exe
C:\Users\admin\AppData\Local\Temp\w2fvyhxu.dll
––
MD5:  ––
SHA256:  ––
3948
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES115C.tmp
––
MD5:  ––
SHA256:  ––
2176
csc.exe
C:\Users\admin\AppData\Local\Temp\CSC115B.tmp
––
MD5:  ––
SHA256:  ––
2128
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2128.6541\streamer.exe
––
MD5:  ––
SHA256:  ––
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\w2fvyhxu.0.cs
text
MD5: 3880de647b10555a534f34d5071fe461
SHA256: f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\w2fvyhxu.cmdline
text
MD5: 75f8b58143a42a6359e92e5fa464727f
SHA256: d523af85d9de281853868ce35dabb2d29b4d6f8ebb04e3c329bc75075f5ffeed
2956
csc.exe
C:\Users\admin\AppData\Local\Temp\uxejne2w.out
––
MD5:  ––
SHA256:  ––
1812
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES1014.tmp
––
MD5:  ––
SHA256:  ––
2956
csc.exe
C:\Users\admin\AppData\Local\Temp\uxejne2w.dll
––
MD5:  ––
SHA256:  ––
2956
csc.exe
C:\Users\admin\AppData\Local\Temp\CSC1013.tmp
––
MD5:  ––
SHA256:  ––
2956
csc.exe
C:\Users\admin\AppData\Local\Temp\uxejne2w.pdb
––
MD5:  ––
SHA256:  ––
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\uxejne2w.cmdline
text
MD5: cfafe5992f936c781c3f6b08e9148cc6
SHA256: 49239133276a167f02615b2895b4ae5511aaf2e53faf489af35490a2c0df6a3b
516
sdiagnhost.exe
C:\Users\admin\AppData\Local\Temp\uxejne2w.0.cs
text
MD5: b0dc59b099ca7c12fb8ad72d3c50c82c
SHA256: e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\result\results.xsl
xml
MD5: 310e1da2344ba6ca96666fb639840ea9
SHA256: 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\en-US\CL_LocalizationData.psd1
text
MD5: 863dc7fd9d5e14bb639eaaf596d64416
SHA256: 97eb6f256a278ff10b200fa6e248b7a89ba956d9f533d138302c7f3721a95d8e
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\results.xml
text
MD5: e8e86a4292c53c0513e9743b61b016dd
SHA256: 8b565e123eb1567177661245a00b242073108f096edcd0f0aadab76e6cb058e8
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\RS_ProgramCompatibilityWizard.ps1
text
MD5: 367fe5f4c6db87e1600f46687e5aac54
SHA256: 177625ac9b07bbffcbbb47101c2d1121f47b03b42226861bfd7974b9cebc0c98
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\TS_ProgramCompatibilityWizard.ps1
text
MD5: 46e22c2582b54be56d80d7a79fec9bb5
SHA256: 459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\VF_ProgramCompatibilityWizard.ps1
text
MD5: c219205abf50bb950b93d0824d483780
SHA256: 5284d805b918f161565150ec64b787e4ea681de69b1ad832f316f94db6dbcb75
2764
msdt.exe
C:\Users\admin\AppData\Local\Temp\SDIAG_fe9d3ea9-4cca-463f-8ebd-9362ca5a89fd\DiagPackage.diagpkg
html
MD5: 18a906a43c1c3e27064db30c81505234
SHA256: 041430d1f0ae14300c46bdcd917c882f4850da3d6010e3fbf692023655bc406e
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\resultreport.xml
xml
MD5: 83c2bbc929f501f97301f90ced9b2cea
SHA256: f37800f81b2d6b97e1493f792b66adf77e785489f87ffa8cff7c63c88b690c50
3852
pcwrun.exe
C:\Users\admin\AppData\Local\Temp\PCW8DF.xml
xml
MD5: 48df712113539c69b3b919c4b20a357c
SHA256: f9e5068e1c1ea40b78d8ef7958d08ada90a3a471402a00c2f1d92a6e9e493222
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\session.xml
text
MD5: edf17bd380b0639f4e0cbd978b820c17
SHA256: a96248f6c7ef129bdd88a849f48d0d7373b22301822cabf103e4bb2b7c8eadb6
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\config.xml
xml
MD5: 30b204e0738a6d5058835ee0ae7e3989
SHA256: caac1d12843928845c8749d2922c9cb8e797137f44bc6a48b5401df1507955c5
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini
text
MD5: f70f579156c93b097e656caba577a5c9
SHA256: b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
text
MD5: ad21a64014891793dd9b21d835278f36
SHA256: c24699c9d00abdd510140fe1b2ace97bfc70d8b21bf3462ded85afc4f73fe52f
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
xml
MD5: 44982e1d48434c0ab3e8277e322dd1e4
SHA256: 3e661d3f1ff3977b022a0acc26b840b5e57d600bc03dcfc6befdb408c665904c
1928
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
xml
MD5: e792264bec29005b9044a435fba185ab
SHA256: 5298fd2f119c43d04f6cf831f379ec25b4156192278e40e458ec356f9b49d624
2764
msdt.exe
C:\Users\admin\AppData\Local\Diagnostics\733862231\2019120219.000\PCW.0.debugreport.xml
xml
MD5: edcfecaebca85b91d88258dc6f077126
SHA256: d06b3eb02f9ca3f47e3faa9c1df1397df1f4fe91cf05e1afd377864dd6beade2

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
–– –– GET 200 93.184.220.29:80 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D US
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3940 gup.exe 104.31.88.28:443 Cloudflare Inc US shared
–– –– 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
notepad-plus-plus.org 104.31.88.28
104.31.89.28
whitelisted
ocsp.digicert.com 93.184.220.29
whitelisted

Threats

No threats detected.

Debug output strings

Process Message
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
streamer.exe FTH: (3544): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***