azorult | 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10
submitted
09-07-2020 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI_#06875654.exe
Size

613KB
MD5

f39696f5a42d2d53c17050bbfcc5154e
SHA1

8f5b5241ffbff92bc59d5801c064b881fbdd69dc
SHA256

5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f
SHA512

2eee98e43403d6740501dfe479529eb429ec300845691f8c81b38940cfa65d689fba48267abd42ed7f3532646b4f714a0fbba230871cced7fc9b8d6bc67f3f28

Score

10^/10

discovery trojan infostealer azorult spyware

Malware Config

Extracted

Family

azorult

http://45.95.168.162/city/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 3048 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exe

pid	process
792	PI_#06875654.exe
792	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2296	PI_#06875654.exe
2280	PI_#06875654.exe
2296	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
2280	PI_#06875654.exe
3220	PI_#06875654.exe
3220	PI_#06875654.exe
3872	PI_#06875654.exe
3872	PI_#06875654.exe
3872	PI_#06875654.exe
3872	PI_#06875654.exe

Suspicious behavior: MapViewOfSection 80 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exe

pid	process
792	PI_#06875654.exe
3220	PI_#06875654.exe
1040	PI_#06875654.exe
1460	PI_#06875654.exe
2784	PI_#06875654.exe
3472	PI_#06875654.exe
1780	PI_#06875654.exe
2784	PI_#06875654.exe
3676	PI_#06875654.exe
916	PI_#06875654.exe
3864	PI_#06875654.exe
3760	PI_#06875654.exe
1904	PI_#06875654.exe
3648	PI_#06875654.exe
416	PI_#06875654.exe
4036	PI_#06875654.exe
1252	PI_#06875654.exe
3816	PI_#06875654.exe
1884	PI_#06875654.exe
2036	PI_#06875654.exe
1912	PI_#06875654.exe
996	PI_#06875654.exe
3576	PI_#06875654.exe
1460	PI_#06875654.exe
2160	PI_#06875654.exe
3452	PI_#06875654.exe
3600	PI_#06875654.exe
3836	PI_#06875654.exe
1812	PI_#06875654.exe
384	PI_#06875654.exe
3132	PI_#06875654.exe
2956	PI_#06875654.exe
3388	PI_#06875654.exe
2956	PI_#06875654.exe
3636	PI_#06875654.exe
3944	PI_#06875654.exe
1756	PI_#06875654.exe
1252	PI_#06875654.exe
2336	PI_#06875654.exe
1812	PI_#06875654.exe
3836	PI_#06875654.exe
1488	PI_#06875654.exe
1912	PI_#06875654.exe
3556	PI_#06875654.exe
2404	PI_#06875654.exe
4092	PI_#06875654.exe
380	PI_#06875654.exe
3456	PI_#06875654.exe
2344	PI_#06875654.exe
1356	PI_#06875654.exe
2176	PI_#06875654.exe
744	PI_#06875654.exe
3044	PI_#06875654.exe
1328	PI_#06875654.exe
1948	PI_#06875654.exe
2520	PI_#06875654.exe
3844	PI_#06875654.exe
2404	PI_#06875654.exe
1896	PI_#06875654.exe
3896	PI_#06875654.exe
3976	PI_#06875654.exe
4048	PI_#06875654.exe
2112	PI_#06875654.exe
3876	PI_#06875654.exe

Suspicious use of SetThreadContext 80 IoCs

Processes:

description	pid	process	target process
PID 792 set thread context of 2296	792	PI_#06875654.exe	PI_#06875654.exe
PID 3220 set thread context of 3916	3220	PI_#06875654.exe	PI_#06875654.exe
PID 1040 set thread context of 3012	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1460 set thread context of 1600	1460	PI_#06875654.exe	PI_#06875654.exe
PID 2784 set thread context of 500	2784	PI_#06875654.exe	PI_#06875654.exe
PID 3472 set thread context of 1464	3472	PI_#06875654.exe	PI_#06875654.exe
PID 1780 set thread context of 3824	1780	PI_#06875654.exe	PI_#06875654.exe
PID 2784 set thread context of 1348	2784	PI_#06875654.exe	PI_#06875654.exe
PID 3676 set thread context of 3940	3676	PI_#06875654.exe	PI_#06875654.exe
PID 916 set thread context of 2168	916	PI_#06875654.exe	PI_#06875654.exe
PID 3864 set thread context of 2856	3864	PI_#06875654.exe	PI_#06875654.exe
PID 3760 set thread context of 1912	3760	PI_#06875654.exe	PI_#06875654.exe
PID 1904 set thread context of 3248	1904	PI_#06875654.exe	PI_#06875654.exe
PID 3648 set thread context of 804	3648	PI_#06875654.exe	PI_#06875654.exe
PID 416 set thread context of 1664	416	PI_#06875654.exe	PI_#06875654.exe
PID 4036 set thread context of 2060	4036	PI_#06875654.exe	PI_#06875654.exe
PID 1252 set thread context of 1912	1252	PI_#06875654.exe	PI_#06875654.exe
PID 3816 set thread context of 1240	3816	PI_#06875654.exe	PI_#06875654.exe
PID 1884 set thread context of 2952	1884	PI_#06875654.exe	PI_#06875654.exe
PID 2036 set thread context of 1192	2036	PI_#06875654.exe	PI_#06875654.exe
PID 1912 set thread context of 3892	1912	PI_#06875654.exe	PI_#06875654.exe
PID 996 set thread context of 588	996	PI_#06875654.exe	PI_#06875654.exe
PID 3576 set thread context of 3824	3576	PI_#06875654.exe	PI_#06875654.exe
PID 1460 set thread context of 416	1460	PI_#06875654.exe	PI_#06875654.exe
PID 2160 set thread context of 636	2160	PI_#06875654.exe	PI_#06875654.exe
PID 3452 set thread context of 3192	3452	PI_#06875654.exe	PI_#06875654.exe
PID 3600 set thread context of 1460	3600	PI_#06875654.exe	PI_#06875654.exe
PID 3836 set thread context of 3688	3836	PI_#06875654.exe	PI_#06875654.exe
PID 1812 set thread context of 976	1812	PI_#06875654.exe	PI_#06875654.exe
PID 384 set thread context of 1748	384	PI_#06875654.exe	PI_#06875654.exe
PID 3132 set thread context of 3472	3132	PI_#06875654.exe	PI_#06875654.exe
PID 2956 set thread context of 3496	2956	PI_#06875654.exe	PI_#06875654.exe
PID 3388 set thread context of 2320	3388	PI_#06875654.exe	PI_#06875654.exe
PID 2956 set thread context of 2280	2956	PI_#06875654.exe	PI_#06875654.exe
PID 3636 set thread context of 692	3636	PI_#06875654.exe	PI_#06875654.exe
PID 3944 set thread context of 3296	3944	PI_#06875654.exe	PI_#06875654.exe
PID 1756 set thread context of 1656	1756	PI_#06875654.exe	PI_#06875654.exe
PID 1252 set thread context of 3192	1252	PI_#06875654.exe	PI_#06875654.exe
PID 2336 set thread context of 500	2336	PI_#06875654.exe	PI_#06875654.exe
PID 1812 set thread context of 3004	1812	PI_#06875654.exe	PI_#06875654.exe
PID 3836 set thread context of 3144	3836	PI_#06875654.exe	PI_#06875654.exe
PID 1488 set thread context of 3568	1488	PI_#06875654.exe	PI_#06875654.exe
PID 1912 set thread context of 3664	1912	PI_#06875654.exe	PI_#06875654.exe
PID 3556 set thread context of 1660	3556	PI_#06875654.exe	PI_#06875654.exe
PID 2404 set thread context of 3812	2404	PI_#06875654.exe	PI_#06875654.exe
PID 4092 set thread context of 3816	4092	PI_#06875654.exe	PI_#06875654.exe
PID 380 set thread context of 3732	380	PI_#06875654.exe	PI_#06875654.exe
PID 3456 set thread context of 1492	3456	PI_#06875654.exe	PI_#06875654.exe
PID 2344 set thread context of 3816	2344	PI_#06875654.exe	PI_#06875654.exe
PID 1356 set thread context of 808	1356	PI_#06875654.exe	PI_#06875654.exe
PID 2176 set thread context of 688	2176	PI_#06875654.exe	PI_#06875654.exe
PID 744 set thread context of 2336	744	PI_#06875654.exe	PI_#06875654.exe
PID 3044 set thread context of 576	3044	PI_#06875654.exe	PI_#06875654.exe
PID 1328 set thread context of 3144	1328	PI_#06875654.exe	PI_#06875654.exe
PID 1948 set thread context of 3596	1948	PI_#06875654.exe	PI_#06875654.exe
PID 2520 set thread context of 1748	2520	PI_#06875654.exe	PI_#06875654.exe
PID 3844 set thread context of 3044	3844	PI_#06875654.exe	PI_#06875654.exe
PID 2404 set thread context of 3860	2404	PI_#06875654.exe	PI_#06875654.exe
PID 1896 set thread context of 1812	1896	PI_#06875654.exe	PI_#06875654.exe
PID 3896 set thread context of 2576	3896	PI_#06875654.exe	PI_#06875654.exe
PID 3976 set thread context of 392	3976	PI_#06875654.exe	PI_#06875654.exe
PID 4048 set thread context of 940	4048	PI_#06875654.exe	PI_#06875654.exe
PID 2112 set thread context of 1772	2112	PI_#06875654.exe	PI_#06875654.exe
PID 3876 set thread context of 1236	3876	PI_#06875654.exe	PI_#06875654.exe

Loads dropped DLL 335 IoCs

Processes:

pid	process
2296	PI_#06875654.exe
2296	PI_#06875654.exe
2296	PI_#06875654.exe
2296	PI_#06875654.exe
3916	PI_#06875654.exe
3916	PI_#06875654.exe
3916	PI_#06875654.exe
3916	PI_#06875654.exe
3916	PI_#06875654.exe
3012	PI_#06875654.exe
3012	PI_#06875654.exe
3012	PI_#06875654.exe
3012	PI_#06875654.exe
1600	PI_#06875654.exe
1600	PI_#06875654.exe
1600	PI_#06875654.exe
1600	PI_#06875654.exe
500	PI_#06875654.exe
500	PI_#06875654.exe
500	PI_#06875654.exe
500	PI_#06875654.exe
1464	PI_#06875654.exe
1464	PI_#06875654.exe
1464	PI_#06875654.exe
1464	PI_#06875654.exe
3824	PI_#06875654.exe
3824	PI_#06875654.exe
3824	PI_#06875654.exe
3824	PI_#06875654.exe
1348	PI_#06875654.exe
1348	PI_#06875654.exe
1348	PI_#06875654.exe
1348	PI_#06875654.exe
3940	PI_#06875654.exe
3940	PI_#06875654.exe
3940	PI_#06875654.exe
3940	PI_#06875654.exe
3940	PI_#06875654.exe
2168	PI_#06875654.exe
2168	PI_#06875654.exe
2168	PI_#06875654.exe
2168	PI_#06875654.exe
2856	PI_#06875654.exe
2856	PI_#06875654.exe
2856	PI_#06875654.exe
2856	PI_#06875654.exe
2856	PI_#06875654.exe
1912	PI_#06875654.exe
1912	PI_#06875654.exe
1912	PI_#06875654.exe
1912	PI_#06875654.exe
3248	PI_#06875654.exe
3248	PI_#06875654.exe
3248	PI_#06875654.exe
3248	PI_#06875654.exe
804	PI_#06875654.exe
804	PI_#06875654.exe
804	PI_#06875654.exe
804	PI_#06875654.exe
1664	PI_#06875654.exe
1664	PI_#06875654.exe
1664	PI_#06875654.exe
1664	PI_#06875654.exe
2060	PI_#06875654.exe

Delays execution with timeout.exe 79 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3676	timeout.exe
2948	timeout.exe
3640	timeout.exe
1584	timeout.exe
3820	timeout.exe
2120	timeout.exe
692	timeout.exe
1236	timeout.exe
744	timeout.exe
612	timeout.exe
2200	timeout.exe
508	timeout.exe
3728	timeout.exe
3676	timeout.exe
4032	timeout.exe
3664	timeout.exe
2176	timeout.exe
3800	timeout.exe
3852	timeout.exe
2324	timeout.exe
3956	timeout.exe
2280	timeout.exe
2148	timeout.exe
740	timeout.exe
2428	timeout.exe
4032	timeout.exe
3812	timeout.exe
344	timeout.exe
2112	timeout.exe
972	timeout.exe
2344	timeout.exe
1644	timeout.exe
2280	timeout.exe
2224	timeout.exe
3320	timeout.exe
3576	timeout.exe
2976	timeout.exe
3000	timeout.exe
1488	timeout.exe
3860	timeout.exe
2220	timeout.exe
2948	timeout.exe
1184	timeout.exe
3392	timeout.exe
736	timeout.exe
3852	timeout.exe
3328	timeout.exe
380	timeout.exe
3296	timeout.exe
916	timeout.exe
3920	timeout.exe
3896	timeout.exe
1936	timeout.exe
1184	timeout.exe
692	timeout.exe
1656	timeout.exe
2220	timeout.exe
2212	timeout.exe
3728	timeout.exe
2036	timeout.exe
612	timeout.exe
1240	timeout.exe
1352	timeout.exe
1464	timeout.exe

Checks processor information in registry 2 TTPs 160 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PI_#06875654.exe

Suspicious use of WriteProcessMemory 1191 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.execmd.exePI_#06875654.exePI_#06875654.execmd.exePI_#06875654.exePI_#06875654.exePI_#06875654.execmd.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.execmd.exePI_#06875654.exe

description	pid	process	target process
PID 792 wrote to memory of 2296	792	PI_#06875654.exe	PI_#06875654.exe
PID 792 wrote to memory of 2296	792	PI_#06875654.exe	PI_#06875654.exe
PID 792 wrote to memory of 2296	792	PI_#06875654.exe	PI_#06875654.exe
PID 792 wrote to memory of 2280	792	PI_#06875654.exe	PI_#06875654.exe
PID 792 wrote to memory of 2280	792	PI_#06875654.exe	PI_#06875654.exe
PID 792 wrote to memory of 2280	792	PI_#06875654.exe	PI_#06875654.exe
PID 2296 wrote to memory of 4036	2296	PI_#06875654.exe	cmd.exe
PID 2296 wrote to memory of 4036	2296	PI_#06875654.exe	cmd.exe
PID 2296 wrote to memory of 4036	2296	PI_#06875654.exe	cmd.exe
PID 2280 wrote to memory of 3220	2280	PI_#06875654.exe	PI_#06875654.exe
PID 2280 wrote to memory of 3220	2280	PI_#06875654.exe	PI_#06875654.exe
PID 2280 wrote to memory of 3220	2280	PI_#06875654.exe	PI_#06875654.exe
PID 4036 wrote to memory of 3820	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 3820	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 3820	4036	cmd.exe	timeout.exe
PID 3220 wrote to memory of 3916	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3220 wrote to memory of 3916	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3220 wrote to memory of 3916	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3220 wrote to memory of 3872	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3220 wrote to memory of 3872	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3220 wrote to memory of 3872	3220	PI_#06875654.exe	PI_#06875654.exe
PID 3916 wrote to memory of 916	3916	PI_#06875654.exe	cmd.exe
PID 3916 wrote to memory of 916	3916	PI_#06875654.exe	cmd.exe
PID 3916 wrote to memory of 916	3916	PI_#06875654.exe	cmd.exe
PID 916 wrote to memory of 612	916	cmd.exe	timeout.exe
PID 916 wrote to memory of 612	916	cmd.exe	timeout.exe
PID 916 wrote to memory of 612	916	cmd.exe	timeout.exe
PID 3872 wrote to memory of 1040	3872	PI_#06875654.exe	PI_#06875654.exe
PID 3872 wrote to memory of 1040	3872	PI_#06875654.exe	PI_#06875654.exe
PID 3872 wrote to memory of 1040	3872	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 3012	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 3012	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 3012	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 4032	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 4032	1040	PI_#06875654.exe	PI_#06875654.exe
PID 1040 wrote to memory of 4032	1040	PI_#06875654.exe	PI_#06875654.exe
PID 3012 wrote to memory of 3832	3012	PI_#06875654.exe	cmd.exe
PID 3012 wrote to memory of 3832	3012	PI_#06875654.exe	cmd.exe
PID 3012 wrote to memory of 3832	3012	PI_#06875654.exe	cmd.exe
PID 3832 wrote to memory of 1348	3832	cmd.exe	timeout.exe
PID 3832 wrote to memory of 1348	3832	cmd.exe	timeout.exe
PID 3832 wrote to memory of 1348	3832	cmd.exe	timeout.exe
PID 4032 wrote to memory of 1460	4032	PI_#06875654.exe	PI_#06875654.exe
PID 4032 wrote to memory of 1460	4032	PI_#06875654.exe	PI_#06875654.exe
PID 4032 wrote to memory of 1460	4032	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1600	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1600	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1600	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1664	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1664	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1460 wrote to memory of 1664	1460	PI_#06875654.exe	PI_#06875654.exe
PID 1600 wrote to memory of 3744	1600	PI_#06875654.exe	cmd.exe
PID 1600 wrote to memory of 3744	1600	PI_#06875654.exe	cmd.exe
PID 1600 wrote to memory of 3744	1600	PI_#06875654.exe	cmd.exe
PID 1664 wrote to memory of 2784	1664	PI_#06875654.exe	PI_#06875654.exe
PID 1664 wrote to memory of 2784	1664	PI_#06875654.exe	PI_#06875654.exe
PID 1664 wrote to memory of 2784	1664	PI_#06875654.exe	PI_#06875654.exe
PID 3744 wrote to memory of 3956	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3956	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3956	3744	cmd.exe	timeout.exe
PID 2784 wrote to memory of 500	2784	PI_#06875654.exe	PI_#06875654.exe
PID 2784 wrote to memory of 500	2784	PI_#06875654.exe	PI_#06875654.exe
PID 2784 wrote to memory of 500	2784	PI_#06875654.exe	PI_#06875654.exe
PID 2784 wrote to memory of 636	2784	PI_#06875654.exe	PI_#06875654.exe

Checks for installed software on the system 1 TTPs 2480 IoCs

discovery

Query Registry

T1012

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	PI_#06875654.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	PI_#06875654.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	PI_#06875654.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	PI_#06875654.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:3820

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2296 60281
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
6⤵
- Delays execution with timeout.exe
PID:612

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3916 63312
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
8⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3012 65343
6⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Checks for installed software on the system
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
9⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
10⤵
- Delays execution with timeout.exe
PID:3956

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1600 67250
8⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
10⤵
- Loads dropped DLL
- Checks processor information in registry
PID:500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
11⤵
PID:3204

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
12⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 500 69234
10⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3472

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
12⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
13⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
14⤵
- Delays execution with timeout.exe
PID:736

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1464 71453
12⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1780

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
14⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
15⤵
PID:1748

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
16⤵
- Delays execution with timeout.exe
PID:2976

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3824 73421
14⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2784

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
16⤵
- Loads dropped DLL
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
17⤵
PID:500

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
18⤵
- Delays execution with timeout.exe
PID:3852

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1348 75343
16⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3676

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
18⤵
- Loads dropped DLL
- Checks for installed software on the system
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
19⤵
PID:1656

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
20⤵
- Delays execution with timeout.exe
PID:612

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3940 77187
18⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:916

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
20⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
21⤵
PID:2740

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
22⤵
- Delays execution with timeout.exe
PID:3328

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2168 78984
20⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3864

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
22⤵
- Loads dropped DLL
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
23⤵
PID:1032

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
24⤵
- Delays execution with timeout.exe
PID:2120

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2856 80812
22⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3760

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
24⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
25⤵
PID:3736

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
26⤵
- Delays execution with timeout.exe
PID:3920

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1912 83062
24⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1904

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
26⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:3248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
27⤵
PID:2732

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
28⤵
- Delays execution with timeout.exe
PID:2280

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3248 84921
26⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3648

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
28⤵
- Loads dropped DLL
- Checks processor information in registry
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
29⤵
PID:3016

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
30⤵
- Delays execution with timeout.exe
PID:3676

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 804 86781
28⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:416

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
30⤵
- Loads dropped DLL
- Checks for installed software on the system
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
31⤵
PID:576

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
32⤵
- Delays execution with timeout.exe
PID:2200

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1664 88625
30⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4036

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
32⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
33⤵
PID:3296

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
34⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2060 90359
32⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
33⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1252

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
34⤵
- Checks for installed software on the system
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
35⤵
PID:500

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
36⤵
- Delays execution with timeout.exe
PID:2220

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1912 92109
34⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3816

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
36⤵
- Checks for installed software on the system
PID:1240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
37⤵
PID:1120

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
38⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1240 93984
36⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1884

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
38⤵
- Checks processor information in registry
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
39⤵
PID:2956

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
40⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2952 95890
38⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
39⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2036

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
40⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
41⤵
PID:1300

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
42⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1192 97718
40⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
41⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1912

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
42⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
43⤵
PID:3636

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
44⤵
- Delays execution with timeout.exe
PID:3812

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3892 99703
42⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
43⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:996

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
44⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
45⤵
PID:3496

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
46⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 588 101546
44⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
45⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3576

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
46⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
47⤵
PID:1704

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
48⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3824 103453
46⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
47⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1460

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
48⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
49⤵
PID:344

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
50⤵
- Delays execution with timeout.exe
PID:2148

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 416 105187
48⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
49⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
50⤵
- Checks processor information in registry
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
51⤵
PID:2880

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
52⤵
- Delays execution with timeout.exe
PID:2212

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 636 107015
50⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
51⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3452

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
52⤵
- Checks for installed software on the system
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
53⤵
PID:1900

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
54⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3192 108687
52⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
53⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3600

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
54⤵
- Checks processor information in registry
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
55⤵
PID:3296

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
56⤵
- Delays execution with timeout.exe
PID:344

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1460 110640
54⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
55⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3836

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
56⤵
- Checks processor information in registry
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
57⤵
PID:2676

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
58⤵
- Delays execution with timeout.exe
PID:3676

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3688 112609
56⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
57⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1812

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
58⤵
- Checks for installed software on the system
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
59⤵
PID:644

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
60⤵
- Delays execution with timeout.exe
PID:3896

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 976 114468
58⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
59⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:384

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
60⤵
- Checks for installed software on the system
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
61⤵
PID:3140

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
62⤵
- Delays execution with timeout.exe
PID:2280

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1748 116406
60⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
61⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3132

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
62⤵
- Checks processor information in registry
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
63⤵
PID:3448

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
64⤵
- Delays execution with timeout.exe
PID:740

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3472 118296
62⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
63⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2956

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
64⤵
- Checks for installed software on the system
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
65⤵
PID:3808

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
66⤵
- Delays execution with timeout.exe
PID:2948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3496 120062
64⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
65⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3388

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
66⤵
- Checks for installed software on the system
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
67⤵
PID:4004

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
68⤵
- Delays execution with timeout.exe
PID:3640

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2320 121984
66⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
67⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2956

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
68⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
69⤵
PID:2216

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
70⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2280 123843
68⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
69⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3636

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
70⤵
- Checks processor information in registry
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
71⤵
PID:2948

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
72⤵
- Delays execution with timeout.exe
PID:1352

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 692 125593
70⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
71⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3944

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
72⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
73⤵
PID:1436

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
74⤵
- Delays execution with timeout.exe
PID:1936

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3296 127390
72⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
73⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1756

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
74⤵
- Checks processor information in registry
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
75⤵
PID:3388

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
76⤵
- Delays execution with timeout.exe
PID:508

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1656 129187
74⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
75⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1252

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
76⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
77⤵
PID:1196

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
78⤵
- Delays execution with timeout.exe
PID:692

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3192 130984
76⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
77⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2336

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
78⤵
- Checks for installed software on the system
PID:500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
79⤵
PID:3792

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
80⤵
- Delays execution with timeout.exe
PID:2224

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 500 132843
78⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
79⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1812

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
80⤵
- Checks processor information in registry
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
81⤵
PID:2844

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
82⤵
- Delays execution with timeout.exe
PID:1584

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3004 134468
80⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
81⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3836

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
82⤵
- Checks processor information in registry
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
83⤵
PID:3588

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
84⤵
- Delays execution with timeout.exe
PID:1464

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3144 136312
82⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
83⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1488

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
84⤵
- Checks processor information in registry
PID:3568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
85⤵
PID:692

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
86⤵
- Delays execution with timeout.exe
PID:1184

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3568 138203
84⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
85⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1912

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
86⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
87⤵
PID:508

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
88⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3664 140015
86⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
87⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3556

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
88⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
89⤵
PID:1584

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
90⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1660 141843
88⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
89⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2404

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
90⤵
- Checks for installed software on the system
PID:3812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
91⤵
PID:2320

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
92⤵
- Delays execution with timeout.exe
PID:2112

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3812 143593
90⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
91⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4092

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
92⤵
- Checks processor information in registry
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
93⤵
PID:1184

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
94⤵
- Delays execution with timeout.exe
PID:3728

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3816 145484
92⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
93⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:380

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
94⤵
- Checks processor information in registry
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
95⤵
PID:384

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
96⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3732 147312
94⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
95⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3456

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
96⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
97⤵
PID:3132

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
98⤵
- Delays execution with timeout.exe
PID:972

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1492 149250
96⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
97⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2344

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
98⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
99⤵
PID:1192

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
100⤵
- Delays execution with timeout.exe
PID:2428

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3816 151171
98⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
99⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1356

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
100⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
101⤵
PID:3676

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
102⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 808 153062
100⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
101⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2176

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
102⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
103⤵
PID:384

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
104⤵
- Delays execution with timeout.exe
PID:380

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 688 154953
102⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
103⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:744

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
104⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
105⤵
PID:3556

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
106⤵
- Delays execution with timeout.exe
PID:2036

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2336 156843
104⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
105⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3044

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
106⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
107⤵
PID:3644

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
108⤵
- Delays execution with timeout.exe
PID:2220

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 576 158640
106⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
107⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1328

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
108⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
109⤵
PID:580

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
110⤵
- Delays execution with timeout.exe
PID:3296

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3144 160500
108⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
109⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
110⤵
- Checks processor information in registry
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
111⤵
PID:2204

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
112⤵
- Delays execution with timeout.exe
PID:916

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3596 162359
110⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
111⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2520

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
112⤵
- Checks for installed software on the system
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
113⤵
PID:3832

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
114⤵
- Delays execution with timeout.exe
PID:3800

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1748 164234
112⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
113⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3844

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
114⤵
- Checks processor information in registry
PID:3044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
115⤵
PID:1204

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
116⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3044 165984
114⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
115⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2404

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
116⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
117⤵
PID:3936

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
118⤵
- Delays execution with timeout.exe
PID:4032

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3860 167828
116⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
117⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1896

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
118⤵
- Checks for installed software on the system
PID:1812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
119⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
120⤵
- Delays execution with timeout.exe
PID:3320

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1812 169515
118⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
119⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3896

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
120⤵
- Checks processor information in registry
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
121⤵
PID:1252

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
122⤵
- Delays execution with timeout.exe
PID:3664

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2576 171281
120⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
121⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3976

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
122⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
123⤵
PID:2884

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
124⤵
- Delays execution with timeout.exe
PID:3000

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 392 173218
122⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
123⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4048

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
124⤵
- Checks processor information in registry
PID:940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
125⤵
PID:1716

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
126⤵
- Delays execution with timeout.exe
PID:1240

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 940 175171
124⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
125⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2112

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
126⤵
- Checks for installed software on the system
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
127⤵
PID:2204

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
128⤵
- Delays execution with timeout.exe
PID:2948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1772 177109
126⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
127⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3876

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
128⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
129⤵
PID:584

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
130⤵
- Delays execution with timeout.exe
PID:3576

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1236 178875
128⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
129⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
130⤵
- Checks for installed software on the system
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
131⤵
PID:1588

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
132⤵
- Delays execution with timeout.exe
PID:692

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2776 180640
130⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
131⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
132⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
133⤵
PID:1912

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
134⤵
- Delays execution with timeout.exe
PID:1488

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2176 182484
132⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
133⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
134⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
135⤵
PID:412

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
136⤵
- Delays execution with timeout.exe
PID:1656

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1336 184250
134⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
135⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
136⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
137⤵
PID:3972

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
138⤵
- Delays execution with timeout.exe
PID:3860

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1348 186093
136⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
137⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
138⤵
- Checks processor information in registry
PID:3812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
139⤵
PID:1316

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
140⤵
- Delays execution with timeout.exe
PID:3728

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3812 187984
138⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
139⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
140⤵
- Checks processor information in registry
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
141⤵
PID:1352

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
142⤵
- Delays execution with timeout.exe
PID:2176

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1312 189828
140⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
141⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
142⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
143⤵
PID:3976

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
144⤵
- Delays execution with timeout.exe
PID:3852

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3732 191718
142⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
143⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
144⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
145⤵
PID:3664

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
146⤵
- Delays execution with timeout.exe
PID:2344

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2192 193578
144⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
145⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
146⤵
- Checks processor information in registry
PID:3844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
147⤵
PID:1196

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
148⤵
- Delays execution with timeout.exe
PID:4032

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3844 195312
146⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
147⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
148⤵
- Checks processor information in registry
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
149⤵
PID:2840

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
150⤵
- Delays execution with timeout.exe
PID:744

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1584 197093
148⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
149⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
150⤵
- Checks for installed software on the system
PID:3896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
151⤵
PID:2224

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
152⤵
- Delays execution with timeout.exe
PID:1184

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3896 199015
150⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
151⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
152⤵
- Checks for installed software on the system
PID:576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
153⤵
PID:792

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
154⤵
- Delays execution with timeout.exe
PID:3392

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 576 200859
152⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
153⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
154⤵
- Checks processor information in registry
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
155⤵
PID:1516

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
156⤵
- Delays execution with timeout.exe
PID:1644

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3984 202640
154⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
155⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
156⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
157⤵
PID:2676

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
158⤵
- Delays execution with timeout.exe
PID:1236

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3936 204703
156⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
157⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
158⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "PI_#06875654.exe"
159⤵
PID:1336

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
160⤵
- Delays execution with timeout.exe
PID:2324

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1708 206468
158⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
159⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
160⤵
- Checks processor information in registry
PID:1392

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 1392 208437
160⤵
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
memory/340-2455-0x0000000000000000-mapping.dmp

Download
memory/344-1029-0x0000000000000000-mapping.dmp

Download
memory/344-848-0x0000000000000000-mapping.dmp

Download
memory/380-1622-0x0000000000000000-mapping.dmp

Download
memory/380-1829-0x0000000000000000-mapping.dmp

Download
memory/384-1054-0x0000000000000000-mapping.dmp

Download
memory/384-1706-0x0000000000000000-mapping.dmp

Download
memory/384-2284-0x0000000000000000-mapping.dmp

Download
memory/384-1828-0x0000000000000000-mapping.dmp

Download
memory/384-864-0x0000000000000000-mapping.dmp

Download
memory/392-2083-0x000000000041A1F8-mapping.dmp

Download
memory/412-2237-0x0000000000000000-mapping.dmp

Download
memory/416-2277-0x0000000000000000-mapping.dmp

Download
memory/416-840-0x000000000041A1F8-mapping.dmp

Download
memory/416-520-0x0000000000000000-mapping.dmp

Download
memory/416-2227-0x0000000000000000-mapping.dmp

Download
memory/416-2095-0x0000000000000000-mapping.dmp

Download
memory/496-1822-0x0000000000000000-mapping.dmp

Download
memory/500-695-0x0000000000000000-mapping.dmp

Download
memory/500-305-0x0000000000000000-mapping.dmp

Download
memory/500-1310-0x000000000041A1F8-mapping.dmp

Download
memory/500-191-0x000000000041A1F8-mapping.dmp

Download
memory/508-1512-0x0000000000000000-mapping.dmp

Download
memory/508-1296-0x0000000000000000-mapping.dmp

Download
memory/508-1833-0x0000000000000000-mapping.dmp

Download
memory/508-2263-0x0000000000000000-mapping.dmp

Download
memory/512-2324-0x0000000000000000-mapping.dmp

Download
memory/512-1168-0x0000000000000000-mapping.dmp

Download
memory/576-2334-0x000000000041A1F8-mapping.dmp

Download
memory/576-1848-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/576-1843-0x000000000041A1F8-mapping.dmp

Download
memory/576-601-0x0000000000000000-mapping.dmp

Download
memory/580-1863-0x0000000000000000-mapping.dmp

Download
memory/580-1057-0x0000000000000000-mapping.dmp

Download
memory/584-1528-0x0000000000000000-mapping.dmp

Download
memory/584-2203-0x0000000000000000-mapping.dmp

Download
memory/588-523-0x0000000000000000-mapping.dmp

Download
memory/588-818-0x000000000041A1F8-mapping.dmp

Download
memory/612-318-0x0000000000000000-mapping.dmp

Download
memory/612-94-0x0000000000000000-mapping.dmp

Download
memory/612-1525-0x0000000000000000-mapping.dmp

Download
memory/636-852-0x000000000041A1F8-mapping.dmp

Download
memory/636-192-0x0000000000000000-mapping.dmp

Download
memory/644-1052-0x0000000000000000-mapping.dmp

Download
memory/688-1821-0x000000000041A1F8-mapping.dmp

Download
memory/692-1426-0x0000000000000000-mapping.dmp

Download
memory/692-1307-0x0000000000000000-mapping.dmp

Download
memory/692-2215-0x0000000000000000-mapping.dmp

Download
memory/692-1189-0x000000000041A1F8-mapping.dmp

Download
memory/736-946-0x0000000000000000-mapping.dmp

Download
memory/736-284-0x0000000000000000-mapping.dmp

Download
memory/740-1075-0x0000000000000000-mapping.dmp

Download
memory/744-2320-0x0000000000000000-mapping.dmp

Download
memory/744-1830-0x0000000000000000-mapping.dmp

Download
memory/772-2343-0x0000000000000000-mapping.dmp

Download
memory/792-2341-0x0000000000000000-mapping.dmp

Download
memory/804-438-0x000000000041A1F8-mapping.dmp

Download
memory/808-1733-0x000000000041A1F8-mapping.dmp

Download
memory/904-805-0x0000000000000000-mapping.dmp

Download
memory/916-319-0x0000000000000000-mapping.dmp

Download
memory/916-1875-0x0000000000000000-mapping.dmp

Download
memory/916-93-0x0000000000000000-mapping.dmp

Download
memory/940-1818-0x0000000000000000-mapping.dmp

Download
memory/940-2094-0x000000000041A1F8-mapping.dmp

Download
memory/972-1720-0x0000000000000000-mapping.dmp

Download
memory/976-1043-0x000000000041A1F8-mapping.dmp

Download
memory/976-711-0x0000000000000000-mapping.dmp

Download
memory/996-816-0x0000000000000000-mapping.dmp

Download
memory/996-700-0x0000000000000000-mapping.dmp

Download
memory/996-1033-0x0000000000000000-mapping.dmp

Download
memory/1004-1614-0x0000000000000000-mapping.dmp

Download
memory/1032-340-0x0000000000000000-mapping.dmp

Download
memory/1032-199-0x0000000000000000-mapping.dmp

Download
memory/1040-95-0x0000000000000000-mapping.dmp

Download
memory/1120-706-0x0000000000000000-mapping.dmp

Download
memory/1168-826-0x0000000000000000-mapping.dmp

Download
memory/1184-1620-0x0000000000000000-mapping.dmp

Download
memory/1184-1427-0x0000000000000000-mapping.dmp

Download
memory/1184-2331-0x0000000000000000-mapping.dmp

Download
memory/1192-721-0x000000000041A1F8-mapping.dmp

Download
memory/1192-1729-0x0000000000000000-mapping.dmp

Download
memory/1196-1306-0x0000000000000000-mapping.dmp

Download
memory/1196-2307-0x0000000000000000-mapping.dmp

Download
memory/1204-1896-0x0000000000000000-mapping.dmp

Download
memory/1236-1515-0x0000000000000000-mapping.dmp

Download
memory/1236-2196-0x000000000041A1F8-mapping.dmp

Download
memory/1236-2364-0x0000000000000000-mapping.dmp

Download
memory/1236-613-0x0000000000000000-mapping.dmp

Download
memory/1240-299-0x0000000000000000-mapping.dmp

Download
memory/1240-2181-0x0000000000000000-mapping.dmp

Download
memory/1240-699-0x000000000041A1F8-mapping.dmp

Download
memory/1252-2079-0x0000000000000000-mapping.dmp

Download
memory/1252-614-0x0000000000000000-mapping.dmp

Download
memory/1252-1297-0x0000000000000000-mapping.dmp

Download
memory/1300-802-0x0000000000000000-mapping.dmp

Download
memory/1312-2265-0x000000000041A1F8-mapping.dmp

Download
memory/1316-2261-0x0000000000000000-mapping.dmp

Download
memory/1328-1853-0x0000000000000000-mapping.dmp

Download
memory/1328-356-0x0000000000000000-mapping.dmp

Download
memory/1336-2450-0x0000000000000000-mapping.dmp

Download
memory/1336-2335-0x0000000000000000-mapping.dmp

Download
memory/1336-2229-0x000000000041A1F8-mapping.dmp

Download
memory/1348-2241-0x000000000041A1F8-mapping.dmp

Download
memory/1348-105-0x0000000000000000-mapping.dmp

Download
memory/1348-2296-0x0000000000000000-mapping.dmp

Download
memory/1348-298-0x000000000041A1F8-mapping.dmp

Download
memory/1352-1273-0x0000000000000000-mapping.dmp

Download
memory/1352-2272-0x0000000000000000-mapping.dmp

Download
memory/1356-1731-0x0000000000000000-mapping.dmp

Download
memory/1356-722-0x0000000000000000-mapping.dmp

Download
memory/1356-1987-0x0000000000000000-mapping.dmp

Download
memory/1392-2454-0x000000000041A1F8-mapping.dmp

Download
memory/1436-1284-0x0000000000000000-mapping.dmp

Download
memory/1460-838-0x0000000000000000-mapping.dmp

Download
memory/1460-106-0x0000000000000000-mapping.dmp

Download
memory/1460-439-0x0000000000000000-mapping.dmp

Download
memory/1460-949-0x000000000041A1F8-mapping.dmp

Download
memory/1464-333-0x0000000000000000-mapping.dmp

Download
memory/1464-1415-0x0000000000000000-mapping.dmp

Download
memory/1464-202-0x000000000041A1F8-mapping.dmp

Download
memory/1488-1416-0x0000000000000000-mapping.dmp

Download
memory/1488-1890-0x0000000000000000-mapping.dmp

Download
memory/1488-2226-0x0000000000000000-mapping.dmp

Download
memory/1492-1710-0x000000000041A1F8-mapping.dmp

Download
memory/1516-1068-0x0000000000000000-mapping.dmp

Download
memory/1516-2352-0x0000000000000000-mapping.dmp

Download
memory/1584-2311-0x000000000041A1F8-mapping.dmp

Download
memory/1584-1523-0x0000000000000000-mapping.dmp

Download
memory/1584-2204-0x0000000000000000-mapping.dmp

Download
memory/1584-1329-0x0000000000000000-mapping.dmp

Download
memory/1588-2214-0x0000000000000000-mapping.dmp

Download
memory/1600-108-0x000000000041A1F8-mapping.dmp

Download
memory/1644-1993-0x0000000000000000-mapping.dmp

Download
memory/1644-2354-0x0000000000000000-mapping.dmp

Download
memory/1656-1288-0x000000000041A1F8-mapping.dmp

Download
memory/1656-2353-0x0000000000000000-mapping.dmp

Download
memory/1656-317-0x0000000000000000-mapping.dmp

Download
memory/1656-2238-0x0000000000000000-mapping.dmp

Download
memory/1660-1516-0x000000000041A1F8-mapping.dmp

Download
memory/1664-1857-0x0000000000000000-mapping.dmp

Download
memory/1664-109-0x0000000000000000-mapping.dmp

Download
memory/1664-522-0x000000000041A1F8-mapping.dmp

Download
memory/1704-836-0x0000000000000000-mapping.dmp

Download
memory/1708-2367-0x000000000041A1F8-mapping.dmp

Download
memory/1716-2180-0x0000000000000000-mapping.dmp

Download
memory/1748-294-0x0000000000000000-mapping.dmp

Download
memory/1748-1056-0x000000000041A1F8-mapping.dmp

Download
memory/1748-1878-0x000000000041A1F8-mapping.dmp

Download
memory/1756-1286-0x0000000000000000-mapping.dmp

Download
memory/1772-2184-0x000000000041A1F8-mapping.dmp

Download
memory/1780-285-0x0000000000000000-mapping.dmp

Download
memory/1780-1289-0x0000000000000000-mapping.dmp

Download
memory/1812-819-0x0000000000000000-mapping.dmp

Download
memory/1812-1318-0x0000000000000000-mapping.dmp

Download
memory/1812-1986-0x000000000041A1F8-mapping.dmp

Download
memory/1812-1041-0x0000000000000000-mapping.dmp

Download
memory/1836-2274-0x0000000000000000-mapping.dmp

Download
memory/1852-830-0x0000000000000000-mapping.dmp

Download
memory/1884-708-0x0000000000000000-mapping.dmp

Download
memory/1896-1983-0x0000000000000000-mapping.dmp

Download
memory/1900-944-0x0000000000000000-mapping.dmp

Download
memory/1904-353-0x0000000000000000-mapping.dmp

Download
memory/1912-2225-0x0000000000000000-mapping.dmp

Download
memory/1912-616-0x000000000041A1F8-mapping.dmp

Download
memory/1912-1428-0x0000000000000000-mapping.dmp

Download
memory/1912-804-0x0000000000000000-mapping.dmp

Download
memory/1912-344-0x000000000041A1F8-mapping.dmp

Download
memory/1920-2451-0x0000000000000000-mapping.dmp

Download
memory/1936-1285-0x0000000000000000-mapping.dmp

Download
memory/1948-2219-0x0000000000000000-mapping.dmp

Download
memory/1948-1865-0x0000000000000000-mapping.dmp

Download
memory/2036-1840-0x0000000000000000-mapping.dmp

Download
memory/2036-719-0x0000000000000000-mapping.dmp

Download
memory/2060-605-0x000000000041A1F8-mapping.dmp

Download
memory/2112-1610-0x0000000000000000-mapping.dmp

Download
memory/2112-2182-0x0000000000000000-mapping.dmp

Download
memory/2120-1879-0x0000000000000000-mapping.dmp

Download
memory/2120-341-0x0000000000000000-mapping.dmp

Download
memory/2120-950-0x0000000000000000-mapping.dmp

Download
memory/2120-1079-0x0000000000000000-mapping.dmp

Download
memory/2148-849-0x0000000000000000-mapping.dmp

Download
memory/2160-850-0x0000000000000000-mapping.dmp

Download
memory/2168-321-0x000000000041A1F8-mapping.dmp

Download
memory/2176-2273-0x0000000000000000-mapping.dmp

Download
memory/2176-2218-0x000000000041A1F8-mapping.dmp

Download
memory/2176-1819-0x0000000000000000-mapping.dmp

Download
memory/2180-1311-0x0000000000000000-mapping.dmp

Download
memory/2184-322-0x0000000000000000-mapping.dmp

Download
memory/2192-2287-0x000000000041A1F8-mapping.dmp

Download
memory/2200-602-0x0000000000000000-mapping.dmp

Download
memory/2204-2192-0x0000000000000000-mapping.dmp

Download
memory/2204-1874-0x0000000000000000-mapping.dmp

Download
memory/2204-808-0x0000000000000000-mapping.dmp

Download
memory/2208-617-0x0000000000000000-mapping.dmp

Download
memory/2212-861-0x0000000000000000-mapping.dmp

Download
memory/2216-1185-0x0000000000000000-mapping.dmp

Download
memory/2220-1854-0x0000000000000000-mapping.dmp

Download
memory/2220-696-0x0000000000000000-mapping.dmp

Download
memory/2220-2321-0x0000000000000000-mapping.dmp

Download
memory/2224-1319-0x0000000000000000-mapping.dmp

Download
memory/2224-2330-0x0000000000000000-mapping.dmp

Download
memory/2228-1179-0x0000000000000000-mapping.dmp

Download
memory/2280-1178-0x000000000041A1F8-mapping.dmp

Download
memory/2280-2-0x0000000000000000-mapping.dmp

Download
memory/2280-436-0x0000000000000000-mapping.dmp

Download
memory/2280-1064-0x0000000000000000-mapping.dmp

Download
memory/2296-1322-0x0000000000000000-mapping.dmp

Download
memory/2296-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2296-1-0x000000000041A1F8-mapping.dmp

Download
memory/2296-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2320-1609-0x0000000000000000-mapping.dmp

Download
memory/2320-1167-0x000000000041A1F8-mapping.dmp

Download
memory/2324-2452-0x0000000000000000-mapping.dmp

Download
memory/2336-1832-0x000000000041A1F8-mapping.dmp

Download
memory/2336-1308-0x0000000000000000-mapping.dmp

Download
memory/2344-1719-0x0000000000000000-mapping.dmp

Download
memory/2344-2295-0x0000000000000000-mapping.dmp

Download
memory/2396-2288-0x0000000000000000-mapping.dmp

Download
memory/2404-1524-0x0000000000000000-mapping.dmp

Download
memory/2404-1898-0x0000000000000000-mapping.dmp

Download
memory/2428-1730-0x0000000000000000-mapping.dmp

Download
memory/2428-1868-0x0000000000000000-mapping.dmp

Download
memory/2520-1876-0x0000000000000000-mapping.dmp

Download
memory/2576-1997-0x000000000041A1F8-mapping.dmp

Download
memory/2576-2185-0x0000000000000000-mapping.dmp

Download
memory/2676-1039-0x0000000000000000-mapping.dmp

Download
memory/2676-2363-0x0000000000000000-mapping.dmp

Download
memory/2732-434-0x0000000000000000-mapping.dmp

Download
memory/2740-328-0x0000000000000000-mapping.dmp

Download
memory/2740-1517-0x0000000000000000-mapping.dmp

Download
memory/2776-2207-0x000000000041A1F8-mapping.dmp

Download
memory/2784-188-0x0000000000000000-mapping.dmp

Download
memory/2784-2368-0x0000000000000000-mapping.dmp

Download
memory/2784-2312-0x0000000000000000-mapping.dmp

Download
memory/2784-296-0x0000000000000000-mapping.dmp

Download
memory/2800-2332-0x0000000000000000-mapping.dmp

Download
memory/2840-2319-0x0000000000000000-mapping.dmp

Download
memory/2844-606-0x0000000000000000-mapping.dmp

Download
memory/2844-1328-0x0000000000000000-mapping.dmp

Download
memory/2856-332-0x000000000041A1F8-mapping.dmp

Download
memory/2880-859-0x0000000000000000-mapping.dmp

Download
memory/2884-2090-0x0000000000000000-mapping.dmp

Download
memory/2884-1844-0x0000000000000000-mapping.dmp

Download
memory/2948-1164-0x0000000000000000-mapping.dmp

Download
memory/2948-1431-0x0000000000000000-mapping.dmp

Download
memory/2948-2194-0x0000000000000000-mapping.dmp

Download
memory/2948-1723-0x0000000000000000-mapping.dmp

Download
memory/2948-1272-0x0000000000000000-mapping.dmp

Download
memory/2952-710-0x000000000041A1F8-mapping.dmp

Download
memory/2956-1176-0x0000000000000000-mapping.dmp

Download
memory/2956-1076-0x0000000000000000-mapping.dmp

Download
memory/2956-717-0x0000000000000000-mapping.dmp

Download
memory/2976-295-0x0000000000000000-mapping.dmp

Download
memory/2976-837-0x0000000000000000-mapping.dmp

Download
memory/3000-2091-0x0000000000000000-mapping.dmp

Download
memory/3004-1321-0x000000000041A1F8-mapping.dmp

Download
memory/3012-97-0x000000000041A1F8-mapping.dmp

Download
memory/3016-2250-0x0000000000000000-mapping.dmp

Download
memory/3016-518-0x0000000000000000-mapping.dmp

Download
memory/3044-707-0x0000000000000000-mapping.dmp

Download
memory/3044-1841-0x0000000000000000-mapping.dmp

Download
memory/3044-1889-0x000000000041A1F8-mapping.dmp

Download
memory/3088-2266-0x0000000000000000-mapping.dmp

Download
memory/3132-1717-0x0000000000000000-mapping.dmp

Download
memory/3132-1065-0x0000000000000000-mapping.dmp

Download
memory/3140-1063-0x0000000000000000-mapping.dmp

Download
memory/3144-1332-0x000000000041A1F8-mapping.dmp

Download
memory/3144-1625-0x0000000000000000-mapping.dmp

Download
memory/3144-1856-0x000000000041A1F8-mapping.dmp

Download
memory/3192-863-0x000000000041A1F8-mapping.dmp

Download
memory/3192-1299-0x000000000041A1F8-mapping.dmp

Download
memory/3192-1707-0x0000000000000000-mapping.dmp

Download
memory/3192-868-0x00000000030D0000-0x00000000030DC000-memory.dmp

Filesize
48KB

Download
memory/3204-198-0x0000000000000000-mapping.dmp

Download
memory/3220-9-0x0000000000000000-mapping.dmp

Download
memory/3248-1711-0x0000000000000000-mapping.dmp

Download
memory/3248-355-0x000000000041A1F8-mapping.dmp

Download
memory/3248-1190-0x0000000000000000-mapping.dmp

Download
memory/3296-1028-0x0000000000000000-mapping.dmp

Download
memory/3296-612-0x0000000000000000-mapping.dmp

Download
memory/3296-1864-0x0000000000000000-mapping.dmp

Download
memory/3296-1276-0x000000000041A1F8-mapping.dmp

Download
memory/3320-1996-0x0000000000000000-mapping.dmp

Download
memory/3328-329-0x0000000000000000-mapping.dmp

Download
memory/3380-2216-0x0000000000000000-mapping.dmp

Download
memory/3380-1419-0x0000000000000000-mapping.dmp

Download
memory/3388-1295-0x0000000000000000-mapping.dmp

Download
memory/3388-2239-0x0000000000000000-mapping.dmp

Download
memory/3388-1165-0x0000000000000000-mapping.dmp

Download
memory/3392-2230-0x0000000000000000-mapping.dmp

Download
memory/3392-2342-0x0000000000000000-mapping.dmp

Download
memory/3448-1074-0x0000000000000000-mapping.dmp

Download
memory/3452-860-0x0000000000000000-mapping.dmp

Download
memory/3452-718-0x0000000000000000-mapping.dmp

Download
memory/3456-1708-0x0000000000000000-mapping.dmp

Download
memory/3456-2357-0x0000000000000000-mapping.dmp

Download
memory/3472-2309-0x0000000000000000-mapping.dmp

Download
memory/3472-1067-0x000000000041A1F8-mapping.dmp

Download
memory/3472-200-0x0000000000000000-mapping.dmp

Download
memory/3496-825-0x0000000000000000-mapping.dmp

Download
memory/3496-1078-0x000000000041A1F8-mapping.dmp

Download
memory/3556-1513-0x0000000000000000-mapping.dmp

Download
memory/3556-283-0x0000000000000000-mapping.dmp

Download
memory/3556-1839-0x0000000000000000-mapping.dmp

Download
memory/3568-1418-0x000000000041A1F8-mapping.dmp

Download
memory/3576-1187-0x0000000000000000-mapping.dmp

Download
memory/3576-827-0x0000000000000000-mapping.dmp

Download
memory/3576-2205-0x0000000000000000-mapping.dmp

Download
memory/3588-1414-0x0000000000000000-mapping.dmp

Download
memory/3596-1867-0x000000000041A1F8-mapping.dmp

Download
memory/3600-947-0x0000000000000000-mapping.dmp

Download
memory/3604-288-0x0000000000000000-mapping.dmp

Download
memory/3636-814-0x0000000000000000-mapping.dmp

Download
memory/3636-1186-0x0000000000000000-mapping.dmp

Download
memory/3636-1897-0x0000000000000000-mapping.dmp

Download
memory/3640-1175-0x0000000000000000-mapping.dmp

Download
memory/3644-1852-0x0000000000000000-mapping.dmp

Download
memory/3648-1300-0x0000000000000000-mapping.dmp

Download
memory/3648-435-0x0000000000000000-mapping.dmp

Download
memory/3664-1430-0x000000000041A1F8-mapping.dmp

Download
memory/3664-2294-0x0000000000000000-mapping.dmp

Download
memory/3664-2080-0x0000000000000000-mapping.dmp

Download
memory/3676-1040-0x0000000000000000-mapping.dmp

Download
memory/3676-1817-0x0000000000000000-mapping.dmp

Download
memory/3676-519-0x0000000000000000-mapping.dmp

Download
memory/3676-307-0x0000000000000000-mapping.dmp

Download
memory/3688-1032-0x000000000041A1F8-mapping.dmp

Download
memory/3716-345-0x0000000000000000-mapping.dmp

Download
memory/3728-1621-0x0000000000000000-mapping.dmp

Download
memory/3728-2262-0x0000000000000000-mapping.dmp

Download
memory/3732-2276-0x000000000041A1F8-mapping.dmp

Download
memory/3732-1624-0x000000000041A1F8-mapping.dmp

Download
memory/3736-351-0x0000000000000000-mapping.dmp

Download
memory/3744-310-0x0000000000000000-mapping.dmp

Download
memory/3744-187-0x0000000000000000-mapping.dmp

Download
memory/3760-342-0x0000000000000000-mapping.dmp

Download
memory/3792-1317-0x0000000000000000-mapping.dmp

Download
memory/3792-2208-0x0000000000000000-mapping.dmp

Download
memory/3792-2365-0x0000000000000000-mapping.dmp

Download
memory/3800-1886-0x0000000000000000-mapping.dmp

Download
memory/3808-1163-0x0000000000000000-mapping.dmp

Download
memory/3812-1527-0x000000000041A1F8-mapping.dmp

Download
memory/3812-2252-0x000000000041A1F8-mapping.dmp

Download
memory/3812-815-0x0000000000000000-mapping.dmp

Download
memory/3816-1613-0x000000000041A1F8-mapping.dmp

Download
memory/3816-1722-0x000000000041A1F8-mapping.dmp

Download
memory/3816-697-0x0000000000000000-mapping.dmp

Download
memory/3820-10-0x0000000000000000-mapping.dmp

Download
memory/3824-2253-0x0000000000000000-mapping.dmp

Download
memory/3824-287-0x000000000041A1F8-mapping.dmp

Download
memory/3824-829-0x000000000041A1F8-mapping.dmp

Download
memory/3832-104-0x0000000000000000-mapping.dmp

Download
memory/3832-1885-0x0000000000000000-mapping.dmp

Download
memory/3836-2299-0x0000000000000000-mapping.dmp

Download
memory/3836-1030-0x0000000000000000-mapping.dmp

Download
memory/3836-2197-0x0000000000000000-mapping.dmp

Download
memory/3836-1330-0x0000000000000000-mapping.dmp

Download
memory/3844-2298-0x000000000041A1F8-mapping.dmp

Download
memory/3844-1887-0x0000000000000000-mapping.dmp

Download
memory/3844-2242-0x0000000000000000-mapping.dmp

Download
memory/3848-1277-0x0000000000000000-mapping.dmp

Download
memory/3852-1998-0x0000000000000000-mapping.dmp

Download
memory/3852-2285-0x0000000000000000-mapping.dmp

Download
memory/3852-306-0x0000000000000000-mapping.dmp

Download
memory/3860-2249-0x0000000000000000-mapping.dmp

Download
memory/3860-1900-0x000000000041A1F8-mapping.dmp

Download
memory/3864-330-0x0000000000000000-mapping.dmp

Download
memory/3872-1333-0x0000000000000000-mapping.dmp

Download
memory/3872-13-0x0000000000000000-mapping.dmp

Download
memory/3876-1044-0x0000000000000000-mapping.dmp

Download
memory/3876-2193-0x0000000000000000-mapping.dmp

Download
memory/3876-203-0x0000000000000000-mapping.dmp

Download
memory/3892-807-0x000000000041A1F8-mapping.dmp

Download
memory/3892-2084-0x0000000000000000-mapping.dmp

Download
memory/3896-1053-0x0000000000000000-mapping.dmp

Download
memory/3896-1994-0x0000000000000000-mapping.dmp

Download
memory/3896-2323-0x000000000041A1F8-mapping.dmp

Download
memory/3916-853-0x0000000000000000-mapping.dmp

Download
memory/3916-12-0x000000000041A1F8-mapping.dmp

Download
memory/3920-352-0x0000000000000000-mapping.dmp

Download
memory/3936-1734-0x0000000000000000-mapping.dmp

Download
memory/3936-1982-0x0000000000000000-mapping.dmp

Download
memory/3936-2356-0x000000000041A1F8-mapping.dmp

Download
memory/3940-309-0x000000000041A1F8-mapping.dmp

Download
memory/3944-1274-0x0000000000000000-mapping.dmp

Download
memory/3944-2346-0x0000000000000000-mapping.dmp

Download
memory/3956-189-0x0000000000000000-mapping.dmp

Download
memory/3964-841-0x0000000000000000-mapping.dmp

Download
memory/3972-2248-0x0000000000000000-mapping.dmp

Download
memory/3976-2081-0x0000000000000000-mapping.dmp

Download
memory/3976-2283-0x0000000000000000-mapping.dmp

Download
memory/3984-1901-0x0000000000000000-mapping.dmp

Download
memory/3984-2345-0x000000000041A1F8-mapping.dmp

Download
memory/4004-1174-0x0000000000000000-mapping.dmp

Download
memory/4032-1984-0x0000000000000000-mapping.dmp

Download
memory/4032-98-0x0000000000000000-mapping.dmp

Download
memory/4032-2308-0x0000000000000000-mapping.dmp

Download
memory/4036-603-0x0000000000000000-mapping.dmp

Download
memory/4036-8-0x0000000000000000-mapping.dmp

Download
memory/4048-2092-0x0000000000000000-mapping.dmp

Download
memory/4092-1611-0x0000000000000000-mapping.dmp

Download