95035a7201b03830ecb4d63aca8288e276a5cd7236a164d5df7290f7b2123148

Analysis

max time kernel
150s
max time network
136s
platform
windows10_x64
resource
win10
submitted
13-07-2020 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MT103-Swift.exe
Size

332KB
MD5

ff143f71d0e4587e2f48989ef1f0299d
SHA1

7e73614061675f7862de68bc74dbcbafde02f487
SHA256

95035a7201b03830ecb4d63aca8288e276a5cd7236a164d5df7290f7b2123148
SHA512

6d1bc2138730da8d344226841c5dee242889b6acc05c61b30b57518333492968c7019498e1cf1221d524b9e22bb9336ee74cc43779442050bfbeafbc440834bf

Score

7^/10

persistence spyware

Malware Config

Signatures

js 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/988-150-0x00000000012B0000-0x00000000015AC000-memory.dmp	js
behavioral2/memory/988-151-0x00000000012B0000-0x00000000015AC000-memory.dmp	js
behavioral2/memory/2304-309-0x00000000012B0000-0x00000000015AC000-memory.dmp	js
behavioral2/memory/2304-310-0x00000000012B0000-0x00000000015AC000-memory.dmp	js

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	help.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GZ7TKT2XKLN = "C:\\Program Files (x86)\\Oopap\\ax4dufwupgxtx.exe"	help.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Drops file in Program Files directory 1 IoCs

Processes:

help.exe

description ioc process

File opened for modification C:\Program Files (x86)\Oopap\ax4dufwupgxtx.exe help.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Oopap\ax4dufwupgxtx.exe	help.exe

Suspicious use of WriteProcessMemory 692 IoCs

Processes:

MT103-Swift.exeExplorer.EXEMT103-Swift.exehelp.exeMT103-Swift.exeMT103-Swift.exeMT103-Swift.exeMT103-Swift.exe

description	pid	process	target process
PID 3788 wrote to memory of 3896	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3896	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3896	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3956	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3956	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3956	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 3956	3788	MT103-Swift.exe	RegAsm.exe
PID 3788 wrote to memory of 2612	3788	MT103-Swift.exe	MT103-Swift.exe
PID 3788 wrote to memory of 2612	3788	MT103-Swift.exe	MT103-Swift.exe
PID 3788 wrote to memory of 2612	3788	MT103-Swift.exe	MT103-Swift.exe
PID 2980 wrote to memory of 3916	2980	Explorer.EXE	help.exe
PID 2980 wrote to memory of 3916	2980	Explorer.EXE	help.exe
PID 2980 wrote to memory of 3916	2980	Explorer.EXE	help.exe
PID 2612 wrote to memory of 3936	2612	MT103-Swift.exe	RegAsm.exe
PID 2612 wrote to memory of 3936	2612	MT103-Swift.exe	RegAsm.exe
PID 2612 wrote to memory of 3936	2612	MT103-Swift.exe	RegAsm.exe
PID 2612 wrote to memory of 3936	2612	MT103-Swift.exe	RegAsm.exe
PID 2612 wrote to memory of 3360	2612	MT103-Swift.exe	MT103-Swift.exe
PID 2612 wrote to memory of 3360	2612	MT103-Swift.exe	MT103-Swift.exe
PID 2612 wrote to memory of 3360	2612	MT103-Swift.exe	MT103-Swift.exe
PID 2980 wrote to memory of 3364	2980	Explorer.EXE	wlanext.exe
PID 2980 wrote to memory of 3364	2980	Explorer.EXE	wlanext.exe
PID 2980 wrote to memory of 3364	2980	Explorer.EXE	wlanext.exe
PID 3916 wrote to memory of 2972	3916	help.exe	cmd.exe
PID 3916 wrote to memory of 2972	3916	help.exe	cmd.exe
PID 3916 wrote to memory of 2972	3916	help.exe	cmd.exe
PID 3360 wrote to memory of 2072	3360	MT103-Swift.exe	RegAsm.exe
PID 3360 wrote to memory of 2072	3360	MT103-Swift.exe	RegAsm.exe
PID 3360 wrote to memory of 2072	3360	MT103-Swift.exe	RegAsm.exe
PID 3360 wrote to memory of 2072	3360	MT103-Swift.exe	RegAsm.exe
PID 3360 wrote to memory of 984	3360	MT103-Swift.exe	MT103-Swift.exe
PID 3360 wrote to memory of 984	3360	MT103-Swift.exe	MT103-Swift.exe
PID 3360 wrote to memory of 984	3360	MT103-Swift.exe	MT103-Swift.exe
PID 984 wrote to memory of 2968	984	MT103-Swift.exe	RegAsm.exe
PID 984 wrote to memory of 2968	984	MT103-Swift.exe	RegAsm.exe
PID 984 wrote to memory of 2968	984	MT103-Swift.exe	RegAsm.exe
PID 984 wrote to memory of 2968	984	MT103-Swift.exe	RegAsm.exe
PID 984 wrote to memory of 3144	984	MT103-Swift.exe	MT103-Swift.exe
PID 984 wrote to memory of 3144	984	MT103-Swift.exe	MT103-Swift.exe
PID 984 wrote to memory of 3144	984	MT103-Swift.exe	MT103-Swift.exe
PID 2980 wrote to memory of 3740	2980	Explorer.EXE	netsh.exe
PID 2980 wrote to memory of 3740	2980	Explorer.EXE	netsh.exe
PID 2980 wrote to memory of 3740	2980	Explorer.EXE	netsh.exe
PID 3144 wrote to memory of 3836	3144	MT103-Swift.exe	RegAsm.exe
PID 3144 wrote to memory of 3836	3144	MT103-Swift.exe	RegAsm.exe
PID 3144 wrote to memory of 3836	3144	MT103-Swift.exe	RegAsm.exe
PID 3144 wrote to memory of 3836	3144	MT103-Swift.exe	RegAsm.exe
PID 3144 wrote to memory of 3884	3144	MT103-Swift.exe	MT103-Swift.exe
PID 3144 wrote to memory of 3884	3144	MT103-Swift.exe	MT103-Swift.exe
PID 3144 wrote to memory of 3884	3144	MT103-Swift.exe	MT103-Swift.exe
PID 2980 wrote to memory of 3584	2980	Explorer.EXE	ipconfig.exe
PID 2980 wrote to memory of 3584	2980	Explorer.EXE	ipconfig.exe
PID 2980 wrote to memory of 3584	2980	Explorer.EXE	ipconfig.exe
PID 2980 wrote to memory of 3852	2980	Explorer.EXE	cmstp.exe
PID 2980 wrote to memory of 3852	2980	Explorer.EXE	cmstp.exe
PID 2980 wrote to memory of 3852	2980	Explorer.EXE	cmstp.exe
PID 3884 wrote to memory of 3856	3884	MT103-Swift.exe	RegAsm.exe
PID 3884 wrote to memory of 3856	3884	MT103-Swift.exe	RegAsm.exe
PID 3884 wrote to memory of 3856	3884	MT103-Swift.exe	RegAsm.exe
PID 3884 wrote to memory of 3856	3884	MT103-Swift.exe	RegAsm.exe
PID 3884 wrote to memory of 3036	3884	MT103-Swift.exe	MT103-Swift.exe
PID 3884 wrote to memory of 3036	3884	MT103-Swift.exe	MT103-Swift.exe
PID 3884 wrote to memory of 3036	3884	MT103-Swift.exe	MT103-Swift.exe
PID 2980 wrote to memory of 632	2980	Explorer.EXE	cmd.exe

Suspicious behavior: MapViewOfSection 288 IoCs

Processes:

MT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exehelp.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exe

pid	process
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3956	RegAsm.exe
2612	MT103-Swift.exe
3936	RegAsm.exe
3956	RegAsm.exe
3956	RegAsm.exe
3360	MT103-Swift.exe
2072	RegAsm.exe
3936	RegAsm.exe
3936	RegAsm.exe
3916	help.exe
984	MT103-Swift.exe
2968	RegAsm.exe
3144	MT103-Swift.exe
3836	RegAsm.exe
2968	RegAsm.exe
2968	RegAsm.exe
2072	RegAsm.exe
3916	help.exe
3884	MT103-Swift.exe
3856	RegAsm.exe
3836	RegAsm.exe
3836	RegAsm.exe
2072	RegAsm.exe
2072	RegAsm.exe
3036	MT103-Swift.exe
900	RegAsm.exe
3856	RegAsm.exe
3856	RegAsm.exe
3864	MT103-Swift.exe
3864	MT103-Swift.exe
1164	RegAsm.exe
900	RegAsm.exe
900	RegAsm.exe
1404	MT103-Swift.exe
1404	MT103-Swift.exe
1800	RegAsm.exe
1164	RegAsm.exe
1164	RegAsm.exe
2176	MT103-Swift.exe
2988	RegAsm.exe
4036	MT103-Swift.exe
3472	RegAsm.exe
1800	RegAsm.exe
2336	MT103-Swift.exe
2336	MT103-Swift.exe
3996	RegAsm.exe
2988	RegAsm.exe
668	MT103-Swift.exe
668	MT103-Swift.exe
668	MT103-Swift.exe
1800	RegAsm.exe
1800	RegAsm.exe
3804	RegAsm.exe
3996	RegAsm.exe
3996	RegAsm.exe
3472	RegAsm.exe
3268	MT103-Swift.exe
2988	RegAsm.exe
2988	RegAsm.exe
1476	RegAsm.exe
3804	RegAsm.exe
3804	RegAsm.exe

Suspicious use of SetThreadContext 140 IoCs

Processes:

MT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exehelp.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exe

description	pid	process	target process
PID 3788 set thread context of 3956	3788	MT103-Swift.exe	RegAsm.exe
PID 3956 set thread context of 2980	3956	RegAsm.exe	Explorer.EXE
PID 2612 set thread context of 3936	2612	MT103-Swift.exe	RegAsm.exe
PID 3936 set thread context of 2980	3936	RegAsm.exe	Explorer.EXE
PID 3360 set thread context of 2072	3360	MT103-Swift.exe	RegAsm.exe
PID 2072 set thread context of 2980	2072	RegAsm.exe	Explorer.EXE
PID 984 set thread context of 2968	984	MT103-Swift.exe	RegAsm.exe
PID 2968 set thread context of 2980	2968	RegAsm.exe	Explorer.EXE
PID 3144 set thread context of 3836	3144	MT103-Swift.exe	RegAsm.exe
PID 3836 set thread context of 2980	3836	RegAsm.exe	Explorer.EXE
PID 2072 set thread context of 2980	2072	RegAsm.exe	Explorer.EXE
PID 3916 set thread context of 2980	3916	help.exe	Explorer.EXE
PID 3884 set thread context of 3856	3884	MT103-Swift.exe	RegAsm.exe
PID 3856 set thread context of 2980	3856	RegAsm.exe	Explorer.EXE
PID 3036 set thread context of 900	3036	MT103-Swift.exe	RegAsm.exe
PID 900 set thread context of 2980	900	RegAsm.exe	Explorer.EXE
PID 3864 set thread context of 1164	3864	MT103-Swift.exe	RegAsm.exe
PID 1164 set thread context of 2980	1164	RegAsm.exe	Explorer.EXE
PID 1404 set thread context of 1800	1404	MT103-Swift.exe	RegAsm.exe
PID 1800 set thread context of 2980	1800	RegAsm.exe	Explorer.EXE
PID 2176 set thread context of 2988	2176	MT103-Swift.exe	RegAsm.exe
PID 2988 set thread context of 2980	2988	RegAsm.exe	Explorer.EXE
PID 4036 set thread context of 3472	4036	MT103-Swift.exe	RegAsm.exe
PID 3472 set thread context of 2980	3472	RegAsm.exe	Explorer.EXE
PID 1800 set thread context of 2980	1800	RegAsm.exe	Explorer.EXE
PID 2336 set thread context of 3996	2336	MT103-Swift.exe	RegAsm.exe
PID 3996 set thread context of 2980	3996	RegAsm.exe	Explorer.EXE
PID 2988 set thread context of 2980	2988	RegAsm.exe	Explorer.EXE
PID 668 set thread context of 3804	668	MT103-Swift.exe	RegAsm.exe
PID 3804 set thread context of 2980	3804	RegAsm.exe	Explorer.EXE
PID 3472 set thread context of 2980	3472	RegAsm.exe	Explorer.EXE
PID 3268 set thread context of 1476	3268	MT103-Swift.exe	RegAsm.exe
PID 1476 set thread context of 2980	1476	RegAsm.exe	Explorer.EXE
PID 1188 set thread context of 2528	1188	MT103-Swift.exe	RegAsm.exe
PID 2528 set thread context of 2980	2528	RegAsm.exe	Explorer.EXE
PID 2764 set thread context of 4092	2764	MT103-Swift.exe	RegAsm.exe
PID 4092 set thread context of 2980	4092	RegAsm.exe	Explorer.EXE
PID 1244 set thread context of 3572	1244	MT103-Swift.exe	RegAsm.exe
PID 3572 set thread context of 2980	3572	RegAsm.exe	Explorer.EXE
PID 2084 set thread context of 968	2084	MT103-Swift.exe	RegAsm.exe
PID 968 set thread context of 2980	968	RegAsm.exe	Explorer.EXE
PID 3940 set thread context of 416	3940	MT103-Swift.exe	RegAsm.exe
PID 416 set thread context of 2980	416	RegAsm.exe	Explorer.EXE
PID 680 set thread context of 3616	680	MT103-Swift.exe	RegAsm.exe
PID 3616 set thread context of 2980	3616	RegAsm.exe	Explorer.EXE
PID 1888 set thread context of 2364	1888	MT103-Swift.exe	RegAsm.exe
PID 2364 set thread context of 2980	2364	RegAsm.exe	Explorer.EXE
PID 1816 set thread context of 2108	1816	MT103-Swift.exe	RegAsm.exe
PID 2108 set thread context of 2980	2108	RegAsm.exe	Explorer.EXE
PID 2948 set thread context of 2000	2948	MT103-Swift.exe	RegAsm.exe
PID 2000 set thread context of 2980	2000	RegAsm.exe	Explorer.EXE
PID 3568 set thread context of 2764	3568	MT103-Swift.exe	RegAsm.exe
PID 2764 set thread context of 2980	2764	RegAsm.exe	Explorer.EXE
PID 3844 set thread context of 896	3844	MT103-Swift.exe	RegAsm.exe
PID 896 set thread context of 2980	896	RegAsm.exe	Explorer.EXE
PID 2000 set thread context of 2980	2000	RegAsm.exe	Explorer.EXE
PID 640 set thread context of 3820	640	MT103-Swift.exe	RegAsm.exe
PID 3820 set thread context of 2980	3820	RegAsm.exe	Explorer.EXE
PID 3884 set thread context of 1116	3884	MT103-Swift.exe	RegAsm.exe
PID 1116 set thread context of 2980	1116	RegAsm.exe	Explorer.EXE
PID 1892 set thread context of 4040	1892	MT103-Swift.exe	RegAsm.exe
PID 4040 set thread context of 2980	4040	RegAsm.exe	Explorer.EXE
PID 3820 set thread context of 2980	3820	RegAsm.exe	Explorer.EXE
PID 3864 set thread context of 3620	3864	MT103-Swift.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 190 IoCs

Processes:

MT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exehelp.exeMT103-Swift.exeRegAsm.exewlanext.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeExplorer.EXERegAsm.exenetsh.exeMT103-Swift.exeRegAsm.exeipconfig.exeMT103-Swift.execmstp.exeRegAsm.execmd.exeMT103-Swift.exeRegAsm.execmmon32.exeMT103-Swift.exeRegAsm.exechkdsk.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeRegAsm.exesvchost.exesystray.exeMT103-Swift.exeRegAsm.execmstp.execmd.exeMT103-Swift.exeRegAsm.exesvchost.execscript.exeMT103-Swift.exeRegAsm.exemsdt.exeMT103-Swift.exeRegAsm.exewscript.exeMT103-Swift.exeRegAsm.execmstp.exeMT103-Swift.exeRegAsm.execmmon32.exeMT103-Swift.exeRegAsm.exeMT103-Swift.exeexplorer.exeRegAsm.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3788	MT103-Swift.exe
Token: SeDebugPrivilege	3956	RegAsm.exe
Token: SeDebugPrivilege	2612	MT103-Swift.exe
Token: SeDebugPrivilege	3936	RegAsm.exe
Token: SeDebugPrivilege	3916	help.exe
Token: SeDebugPrivilege	3360	MT103-Swift.exe
Token: SeDebugPrivilege	2072	RegAsm.exe
Token: SeDebugPrivilege	3364	wlanext.exe
Token: SeDebugPrivilege	984	MT103-Swift.exe
Token: SeDebugPrivilege	2968	RegAsm.exe
Token: SeDebugPrivilege	3144	MT103-Swift.exe
Token: SeShutdownPrivilege	2980	Explorer.EXE
Token: SeCreatePagefilePrivilege	2980	Explorer.EXE
Token: SeDebugPrivilege	3836	RegAsm.exe
Token: SeDebugPrivilege	3740	netsh.exe
Token: SeDebugPrivilege	3884	MT103-Swift.exe
Token: SeDebugPrivilege	3856	RegAsm.exe
Token: SeDebugPrivilege	3584	ipconfig.exe
Token: SeDebugPrivilege	3036	MT103-Swift.exe
Token: SeDebugPrivilege	3852	cmstp.exe
Token: SeDebugPrivilege	900	RegAsm.exe
Token: SeDebugPrivilege	632	cmd.exe
Token: SeDebugPrivilege	3864	MT103-Swift.exe
Token: SeDebugPrivilege	1164	RegAsm.exe
Token: SeDebugPrivilege	3556	cmmon32.exe
Token: SeDebugPrivilege	1404	MT103-Swift.exe
Token: SeDebugPrivilege	1800	RegAsm.exe
Token: SeDebugPrivilege	1624	chkdsk.exe
Token: SeDebugPrivilege	2176	MT103-Swift.exe
Token: SeDebugPrivilege	2988	RegAsm.exe
Token: SeDebugPrivilege	4036	MT103-Swift.exe
Token: SeDebugPrivilege	3472	RegAsm.exe
Token: SeDebugPrivilege	2336	MT103-Swift.exe
Token: SeDebugPrivilege	3996	RegAsm.exe
Token: SeDebugPrivilege	668	MT103-Swift.exe
Token: SeDebugPrivilege	3804	RegAsm.exe
Token: SeDebugPrivilege	2720	svchost.exe
Token: SeDebugPrivilege	992	systray.exe
Token: SeDebugPrivilege	3268	MT103-Swift.exe
Token: SeDebugPrivilege	1476	RegAsm.exe
Token: SeDebugPrivilege	2912	cmstp.exe
Token: SeDebugPrivilege	3484	cmd.exe
Token: SeDebugPrivilege	1188	MT103-Swift.exe
Token: SeDebugPrivilege	2528	RegAsm.exe
Token: SeDebugPrivilege	1200	svchost.exe
Token: SeDebugPrivilege	3108	cscript.exe
Token: SeDebugPrivilege	2764	MT103-Swift.exe
Token: SeDebugPrivilege	4092	RegAsm.exe
Token: SeDebugPrivilege	1332	msdt.exe
Token: SeDebugPrivilege	1244	MT103-Swift.exe
Token: SeDebugPrivilege	3572	RegAsm.exe
Token: SeDebugPrivilege	3228	wscript.exe
Token: SeDebugPrivilege	2084	MT103-Swift.exe
Token: SeDebugPrivilege	968	RegAsm.exe
Token: SeDebugPrivilege	3876	cmstp.exe
Token: SeDebugPrivilege	3940	MT103-Swift.exe
Token: SeDebugPrivilege	416	RegAsm.exe
Token: SeDebugPrivilege	2660	cmmon32.exe
Token: SeDebugPrivilege	680	MT103-Swift.exe
Token: SeDebugPrivilege	3616	RegAsm.exe
Token: SeDebugPrivilege	1888	MT103-Swift.exe
Token: SeDebugPrivilege	1644	explorer.exe
Token: SeDebugPrivilege	2364	RegAsm.exe
Token: SeDebugPrivilege	2652	msiexec.exe

Suspicious behavior: EnumeratesProcesses 22823 IoCs

Processes:

MT103-Swift.exe

pid	process
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe
3788	MT103-Swift.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
7⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
23⤵
- Suspicious use of SetThreadContext
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
PID:2108

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
24⤵
- Suspicious use of SetThreadContext
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
PID:2000

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
25⤵
- Suspicious use of SetThreadContext
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:2764

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
26⤵
- Suspicious use of SetThreadContext
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:896

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
27⤵
- Suspicious use of SetThreadContext
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3820

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of SetThreadContext
PID:1116

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
29⤵
- Suspicious use of SetThreadContext
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of SetThreadContext
PID:4040

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
31⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
30⤵
- Suspicious use of SetThreadContext
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3620

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
32⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
31⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
32⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
33⤵
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
34⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
35⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
36⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
37⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
38⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
39⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
40⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
41⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
42⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
43⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
44⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
45⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
46⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
47⤵
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
48⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
49⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
50⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
51⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
52⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:3864

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
54⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
53⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
54⤵
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
55⤵
PID:3160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2208

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
57⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
56⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
57⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
58⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
59⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
60⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
61⤵
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
62⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe
"C:\Users\Admin\AppData\Local\Temp\MT103-Swift.exe"
63⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2884

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Adds Run entry to start application
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:500

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:852

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:1624

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2244

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2252

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2388

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2532

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2544

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2756

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2776

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:988

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:2148

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:3656

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:2612

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:1408

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3816

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:1276

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:3788

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:3912

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2348

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:1908

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:568

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3688

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:2864

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3824

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1848

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1660

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:2304

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2212

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
PID:1404

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3612

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2908

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:3940

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
PID:3884

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:3340

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3392

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3488

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:856

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2552

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3144

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1100

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:64

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2144

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1828

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2948

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2384

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:2812

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2960

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2420

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:1828

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2884

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3144

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2960

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3992

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2540

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1432

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\972B4OAV\972logrv.ini

Download Submit
memory/64-349-0x0000000000000000-mapping.dmp

Download
memory/64-394-0x000000000041E2C0-mapping.dmp

Download
memory/412-204-0x0000000000000000-mapping.dmp

Download
memory/412-274-0x000000000041E2C0-mapping.dmp

Download
memory/416-121-0x000000000041E2C0-mapping.dmp

Download
memory/488-339-0x000000000041E2C0-mapping.dmp

Download
memory/500-176-0x0000000000000000-mapping.dmp

Download
memory/568-266-0x0000000000000000-mapping.dmp

Download
memory/568-268-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/568-267-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/576-390-0x0000000000000000-mapping.dmp

Download
memory/576-376-0x0000000000B40000-0x0000000000B4B000-memory.dmp

Filesize
44KB

Download
memory/576-375-0x0000000000000000-mapping.dmp

Download
memory/576-377-0x0000000000B40000-0x0000000000B4B000-memory.dmp

Filesize
44KB

Download
memory/576-391-0x00000000009D0000-0x00000000009E9000-memory.dmp

Filesize
100KB

Download
memory/576-392-0x00000000009D0000-0x00000000009E9000-memory.dmp

Filesize
100KB

Download
memory/632-43-0x0000000000000000-mapping.dmp

Download
memory/632-44-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/632-45-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/640-158-0x0000000000000000-mapping.dmp

Download
memory/668-68-0x0000000000000000-mapping.dmp

Download
memory/680-122-0x0000000000000000-mapping.dmp

Download
memory/800-188-0x0000000000000000-mapping.dmp

Download
memory/800-227-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/800-226-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/800-225-0x0000000000000000-mapping.dmp

Download
memory/804-300-0x0000000000000000-mapping.dmp

Download
memory/852-200-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/852-199-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/852-198-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/852-197-0x0000000000000000-mapping.dmp

Download
memory/896-157-0x000000000041E2C0-mapping.dmp

Download
memory/900-41-0x000000000041E2C0-mapping.dmp

Download
memory/904-256-0x0000000000000000-mapping.dmp

Download
memory/968-114-0x000000000041E2C0-mapping.dmp

Download
memory/984-12-0x0000000000000000-mapping.dmp

Download
memory/988-150-0x00000000012B0000-0x00000000015AC000-memory.dmp

Filesize
3.0MB

Download
memory/988-151-0x00000000012B0000-0x00000000015AC000-memory.dmp

Filesize
3.0MB

Download
memory/988-149-0x0000000000000000-mapping.dmp

Download
memory/992-79-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/992-78-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/992-77-0x0000000000000000-mapping.dmp

Download
memory/1044-320-0x0000000000000000-mapping.dmp

Download
memory/1044-369-0x000000000041E2C0-mapping.dmp

Download
memory/1072-242-0x000000000041E2C0-mapping.dmp

Download
memory/1080-326-0x000000000041E2C0-mapping.dmp

Download
memory/1100-395-0x0000000000000000-mapping.dmp

Download
memory/1116-170-0x000000000041E2C0-mapping.dmp

Download
memory/1164-47-0x000000000041E2C0-mapping.dmp

Download
memory/1188-83-0x0000000000000000-mapping.dmp

Download
memory/1196-373-0x000000000041E2C0-mapping.dmp

Download
memory/1200-94-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/1200-95-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/1200-93-0x0000000000000000-mapping.dmp

Download
memory/1244-312-0x000000000041E2C0-mapping.dmp

Download
memory/1244-102-0x0000000000000000-mapping.dmp

Download
memory/1260-296-0x000000000041E2C0-mapping.dmp

Download
memory/1276-218-0x0000000000000000-mapping.dmp

Download
memory/1276-220-0x00000000009D0000-0x00000000009E9000-memory.dmp

Filesize
100KB

Download
memory/1276-219-0x00000000009D0000-0x00000000009E9000-memory.dmp

Filesize
100KB

Download
memory/1292-203-0x000000000041E2C0-mapping.dmp

Download
memory/1332-106-0x0000000000EB0000-0x0000000001023000-memory.dmp

Filesize
1.4MB

Download
memory/1332-104-0x0000000000000000-mapping.dmp

Download
memory/1332-105-0x0000000000EB0000-0x0000000001023000-memory.dmp

Filesize
1.4MB

Download
memory/1376-413-0x000000000041E2C0-mapping.dmp

Download
memory/1380-240-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1380-239-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1380-238-0x0000000000000000-mapping.dmp

Download
memory/1404-324-0x0000000000B40000-0x0000000000B4B000-memory.dmp

Filesize
44KB

Download
memory/1404-48-0x0000000000000000-mapping.dmp

Download
memory/1404-322-0x0000000000000000-mapping.dmp

Download
memory/1404-323-0x0000000000B40000-0x0000000000B4B000-memory.dmp

Filesize
44KB

Download
memory/1408-195-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1408-194-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1408-193-0x0000000000000000-mapping.dmp

Download
memory/1412-209-0x000000000041E2C0-mapping.dmp

Download
memory/1432-388-0x0000000000000000-mapping.dmp

Download
memory/1476-82-0x000000000041E2C0-mapping.dmp

Download
memory/1588-248-0x000000000041E2C0-mapping.dmp

Download
memory/1592-353-0x000000000041E2C0-mapping.dmp

Download
memory/1624-57-0x0000000000000000-mapping.dmp

Download
memory/1624-58-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/1624-59-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/1640-340-0x0000000000000000-mapping.dmp

Download
memory/1640-361-0x0000000000000000-mapping.dmp

Download
memory/1644-131-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/1644-130-0x0000000000000000-mapping.dmp

Download
memory/1644-132-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/1660-303-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1660-302-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1660-301-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x000000000041E2C0-mapping.dmp

Download
memory/1816-135-0x0000000000000000-mapping.dmp

Download
memory/1828-410-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/1828-409-0x0000000000000000-mapping.dmp

Download
memory/1828-275-0x0000000000000000-mapping.dmp

Download
memory/1828-411-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/1848-297-0x0000000000000000-mapping.dmp

Download
memory/1848-298-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1848-299-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/1888-128-0x0000000000000000-mapping.dmp

Download
memory/1892-171-0x0000000000000000-mapping.dmp

Download
memory/1892-264-0x0000000000000000-mapping.dmp

Download
memory/1892-374-0x0000000000000000-mapping.dmp

Download
memory/1908-251-0x0000000000000000-mapping.dmp

Download
memory/1908-253-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/1908-252-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/2000-147-0x000000000041E2C0-mapping.dmp

Download
memory/2024-405-0x0000000000000000-mapping.dmp

Download
memory/2024-406-0x0000000000EB0000-0x0000000001023000-memory.dmp

Filesize
1.4MB

Download
memory/2024-333-0x0000000000000000-mapping.dmp

Download
memory/2024-408-0x0000000000EB0000-0x0000000001023000-memory.dmp

Filesize
1.4MB

Download
memory/2072-11-0x000000000041E2C0-mapping.dmp

Download
memory/2084-174-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/2084-109-0x0000000000000000-mapping.dmp

Download
memory/2084-172-0x0000000000000000-mapping.dmp

Download
memory/2084-173-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/2108-140-0x000000000041E2C0-mapping.dmp

Download
memory/2144-210-0x0000000000000000-mapping.dmp

Download
memory/2148-161-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/2148-162-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/2148-160-0x0000000000000000-mapping.dmp

Download
memory/2156-404-0x000000000041E2C0-mapping.dmp

Download
memory/2164-212-0x000000000041E2C0-mapping.dmp

Download
memory/2176-55-0x0000000000000000-mapping.dmp

Download
memory/2180-348-0x000000000041E2C0-mapping.dmp

Download
memory/2180-233-0x0000000000000000-mapping.dmp

Download
memory/2208-360-0x000000000041E2C0-mapping.dmp

Download
memory/2208-223-0x0000000000000000-mapping.dmp

Download
memory/2212-315-0x0000000000000000-mapping.dmp

Download
memory/2212-316-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/2212-317-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/2252-255-0x000000000041E2C0-mapping.dmp

Download
memory/2304-309-0x00000000012B0000-0x00000000015AC000-memory.dmp

Filesize
3.0MB

Download
memory/2304-310-0x00000000012B0000-0x00000000015AC000-memory.dmp

Filesize
3.0MB

Download
memory/2304-308-0x0000000000000000-mapping.dmp

Download
memory/2336-65-0x0000000000000000-mapping.dmp

Download
memory/2348-244-0x0000000000000000-mapping.dmp

Download
memory/2348-246-0x0000000000190000-0x00000000001A3000-memory.dmp

Filesize
76KB

Download
memory/2348-245-0x0000000000190000-0x00000000001A3000-memory.dmp

Filesize
76KB

Download
memory/2364-134-0x000000000041E2C0-mapping.dmp

Download
memory/2420-401-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2420-402-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2420-400-0x0000000000000000-mapping.dmp

Download
memory/2528-91-0x000000000041E2C0-mapping.dmp

Download
memory/2532-332-0x000000000041E2C0-mapping.dmp

Download
memory/2540-217-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/2540-215-0x0000000000000000-mapping.dmp

Download
memory/2540-216-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/2544-346-0x0000000000000000-mapping.dmp

Download
memory/2612-182-0x0000000000000000-mapping.dmp

Download
memory/2612-183-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/2612-184-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/2612-2-0x0000000000000000-mapping.dmp

Download
memory/2652-136-0x0000000000000000-mapping.dmp

Download
memory/2652-137-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2652-138-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/2660-123-0x0000000000000000-mapping.dmp

Download
memory/2660-124-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2660-125-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2720-73-0x0000000000000000-mapping.dmp

Download
memory/2720-74-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2720-75-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2764-92-0x0000000000000000-mapping.dmp

Download
memory/2764-153-0x000000000041E2C0-mapping.dmp

Download
memory/2776-143-0x0000000000000000-mapping.dmp

Download
memory/2776-144-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2776-145-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2812-378-0x0000000000000000-mapping.dmp

Download
memory/2812-379-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/2812-380-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/2812-291-0x0000000000000000-mapping.dmp

Download
memory/2832-319-0x000000000041E2C0-mapping.dmp

Download
memory/2832-281-0x0000000000000000-mapping.dmp

Download
memory/2864-283-0x0000000000000000-mapping.dmp

Download
memory/2864-285-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/2864-284-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/2884-416-0x000000000041E2C0-mapping.dmp

Download
memory/2908-337-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/2908-335-0x0000000000000000-mapping.dmp

Download
memory/2908-336-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/2912-84-0x0000000000000000-mapping.dmp

Download
memory/2912-85-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/2912-86-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/2948-399-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/2948-141-0x0000000000000000-mapping.dmp

Download
memory/2948-398-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/2948-397-0x0000000000000000-mapping.dmp

Download
memory/2968-17-0x000000000041E2C0-mapping.dmp

Download
memory/2972-9-0x0000000000000000-mapping.dmp

Download
memory/2980-389-0x000000000D8C0000-0x000000000D9FD000-memory.dmp

Filesize
1.2MB

Download
memory/2980-350-0x000000000CFE0000-0x000000000D117000-memory.dmp

Filesize
1.2MB

Download
memory/2980-56-0x0000000009290000-0x000000000941B000-memory.dmp

Filesize
1.5MB

Download
memory/2980-49-0x00000000090E0000-0x000000000928A000-memory.dmp

Filesize
1.7MB

Download
memory/2980-307-0x000000000C690000-0x000000000C792000-memory.dmp

Filesize
1.0MB

Download
memory/2980-237-0x000000000B800000-0x000000000B981000-memory.dmp

Filesize
1.5MB

Download
memory/2980-96-0x0000000005BF0000-0x0000000005D23000-memory.dmp

Filesize
1.2MB

Download
memory/2980-385-0x000000000D7D0000-0x000000000D8B7000-memory.dmp

Filesize
924KB

Download
memory/2980-189-0x000000000ADB0000-0x000000000AEE9000-memory.dmp

Filesize
1.2MB

Download
memory/2980-381-0x000000000D6C0000-0x000000000D7D0000-memory.dmp

Filesize
1.1MB

Download
memory/2980-19-0x0000000004C20000-0x0000000004CF6000-memory.dmp

Filesize
856KB

Download
memory/2980-185-0x000000000AC90000-0x000000000ADAF000-memory.dmp

Filesize
1.1MB

Download
memory/2980-314-0x000000000C7A0000-0x000000000C8BC000-memory.dmp

Filesize
1.1MB

Download
memory/2980-201-0x000000000AEF0000-0x000000000B07F000-memory.dmp

Filesize
1.6MB

Download
memory/2980-371-0x000000000C370000-0x000000000C4E1000-memory.dmp

Filesize
1.4MB

Download
memory/2980-181-0x000000000AB00000-0x000000000AC0B000-memory.dmp

Filesize
1.0MB

Download
memory/2980-250-0x000000000B990000-0x000000000BA68000-memory.dmp

Filesize
864KB

Download
memory/2980-26-0x00000000006C0000-0x00000000007AF000-memory.dmp

Filesize
956KB

Download
memory/2980-155-0x0000000006B50000-0x0000000006BFF000-memory.dmp

Filesize
700KB

Download
memory/2980-142-0x0000000005D30000-0x0000000005DE1000-memory.dmp

Filesize
708KB

Download
memory/2980-355-0x000000000D230000-0x000000000D332000-memory.dmp

Filesize
1.0MB

Download
memory/2980-321-0x000000000C8C0000-0x000000000CA6B000-memory.dmp

Filesize
1.7MB

Download
memory/2980-80-0x000000000A6B0000-0x000000000A7F1000-memory.dmp

Filesize
1.3MB

Download
memory/2980-76-0x0000000009B00000-0x0000000009C1B000-memory.dmp

Filesize
1.1MB

Download
memory/2980-116-0x00000000062D0000-0x0000000006422000-memory.dmp

Filesize
1.3MB

Download
memory/2980-282-0x000000000C0C0000-0x000000000C203000-memory.dmp

Filesize
1.3MB

Download
memory/2980-351-0x000000000D120000-0x000000000D228000-memory.dmp

Filesize
1.0MB

Download
memory/2980-396-0x000000000DBB0000-0x000000000DD32000-memory.dmp

Filesize
1.5MB

Download
memory/2980-214-0x000000000B470000-0x000000000B588000-memory.dmp

Filesize
1.1MB

Download
memory/2980-265-0x000000000BB50000-0x000000000BC40000-memory.dmp

Filesize
960KB

Download
memory/2980-28-0x0000000006950000-0x0000000006A8E000-memory.dmp

Filesize
1.2MB

Download
memory/2980-69-0x0000000009980000-0x0000000009AF6000-memory.dmp

Filesize
1.5MB

Download
memory/2980-224-0x000000000B6A0000-0x000000000B7F6000-memory.dmp

Filesize
1.3MB

Download
memory/2980-269-0x000000000BC40000-0x000000000BD92000-memory.dmp

Filesize
1.3MB

Download
memory/2980-175-0x0000000007050000-0x0000000007121000-memory.dmp

Filesize
836KB

Download
memory/2980-129-0x0000000008EE0000-0x000000000908C000-memory.dmp

Filesize
1.7MB

Download
memory/2980-334-0x000000000CBB0000-0x000000000CCE4000-memory.dmp

Filesize
1.2MB

Download
memory/2980-103-0x0000000005970000-0x0000000005A20000-memory.dmp

Filesize
704KB

Download
memory/2980-159-0x0000000008860000-0x00000000089B5000-memory.dmp

Filesize
1.3MB

Download
memory/2988-61-0x000000000041E2C0-mapping.dmp

Download
memory/2996-280-0x000000000041E2C0-mapping.dmp

Download
memory/3004-370-0x0000000000000000-mapping.dmp

Download
memory/3036-32-0x0000000000000000-mapping.dmp

Download
memory/3064-313-0x0000000000000000-mapping.dmp

Download
memory/3064-272-0x0000000000000000-mapping.dmp

Download
memory/3108-99-0x0000000001080000-0x00000000010A7000-memory.dmp

Filesize
156KB

Download
memory/3108-98-0x0000000001080000-0x00000000010A7000-memory.dmp

Filesize
156KB

Download
memory/3108-97-0x0000000000000000-mapping.dmp

Download
memory/3144-18-0x0000000000000000-mapping.dmp

Download
memory/3160-354-0x0000000000000000-mapping.dmp

Download
memory/3160-387-0x000000000041E2C0-mapping.dmp

Download
memory/3228-111-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/3228-112-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/3228-110-0x0000000000000000-mapping.dmp

Download
memory/3260-383-0x000000000041E2C0-mapping.dmp

Download
memory/3268-72-0x0000000000000000-mapping.dmp

Download
memory/3340-362-0x0000000000000000-mapping.dmp

Download
memory/3340-364-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/3340-363-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/3360-5-0x0000000000000000-mapping.dmp

Download
memory/3364-13-0x0000000000000000-mapping.dmp

Download
memory/3364-15-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/3364-14-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/3392-365-0x0000000000000000-mapping.dmp

Download
memory/3392-366-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/3392-367-0x0000000000B30000-0x0000000000F6F000-memory.dmp

Filesize
4.2MB

Download
memory/3448-384-0x0000000000000000-mapping.dmp

Download
memory/3452-232-0x000000000041E2C0-mapping.dmp

Download
memory/3472-64-0x000000000041E2C0-mapping.dmp

Download
memory/3484-87-0x0000000000000000-mapping.dmp

Download
memory/3484-88-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/3484-89-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/3556-50-0x0000000000000000-mapping.dmp

Download
memory/3556-52-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/3556-51-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/3568-148-0x0000000000000000-mapping.dmp

Download
memory/3568-294-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/3568-293-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/3568-249-0x0000000000000000-mapping.dmp

Download
memory/3568-292-0x0000000000000000-mapping.dmp

Download
memory/3572-108-0x000000000041E2C0-mapping.dmp

Download
memory/3584-35-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3584-34-0x0000000000000000-mapping.dmp

Download
memory/3584-36-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3588-271-0x000000000041E2C0-mapping.dmp

Download
memory/3596-191-0x000000000041E2C0-mapping.dmp

Download
memory/3612-328-0x0000000000000000-mapping.dmp

Download
memory/3612-329-0x0000000000190000-0x00000000001A3000-memory.dmp

Filesize
76KB

Download
memory/3612-330-0x0000000000190000-0x00000000001A3000-memory.dmp

Filesize
76KB

Download
memory/3616-127-0x000000000041E2C0-mapping.dmp

Download
memory/3620-187-0x000000000041E2C0-mapping.dmp

Download
memory/3656-167-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3656-166-0x0000000000000000-mapping.dmp

Download
memory/3656-168-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3676-243-0x0000000000000000-mapping.dmp

Download
memory/3688-276-0x0000000000000000-mapping.dmp

Download
memory/3688-277-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3688-278-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3740-23-0x0000000000000000-mapping.dmp

Download
memory/3740-25-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/3740-24-0x00000000011B0000-0x00000000011CE000-memory.dmp

Filesize
120KB

Download
memory/3788-230-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/3788-229-0x0000000001300000-0x0000000001306000-memory.dmp

Filesize
24KB

Download
memory/3788-228-0x0000000000000000-mapping.dmp

Download
memory/3792-192-0x0000000000000000-mapping.dmp

Download
memory/3804-71-0x000000000041E2C0-mapping.dmp

Download
memory/3816-206-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/3816-207-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/3816-205-0x0000000000000000-mapping.dmp

Download
memory/3820-164-0x000000000041E2C0-mapping.dmp

Download
memory/3824-288-0x0000000000000000-mapping.dmp

Download
memory/3824-289-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3824-290-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3828-263-0x000000000041E2C0-mapping.dmp

Download
memory/3828-213-0x0000000000000000-mapping.dmp

Download
memory/3836-21-0x000000000041E2C0-mapping.dmp

Download
memory/3844-154-0x0000000000000000-mapping.dmp

Download
memory/3844-305-0x000000000041E2C0-mapping.dmp

Download
memory/3852-40-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3852-38-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3852-37-0x0000000000000000-mapping.dmp

Download
memory/3856-31-0x000000000041E2C0-mapping.dmp

Download
memory/3860-414-0x0000000000000000-mapping.dmp

Download
memory/3864-306-0x0000000000000000-mapping.dmp

Download
memory/3864-180-0x0000000000000000-mapping.dmp

Download
memory/3864-345-0x000000000041E2C0-mapping.dmp

Download
memory/3864-42-0x0000000000000000-mapping.dmp

Download
memory/3872-407-0x0000000000000000-mapping.dmp

Download
memory/3872-327-0x0000000000000000-mapping.dmp

Download
memory/3876-117-0x0000000000000000-mapping.dmp

Download
memory/3876-119-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3876-118-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3884-165-0x0000000000000000-mapping.dmp

Download
memory/3884-22-0x0000000000000000-mapping.dmp

Download
memory/3884-357-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3884-356-0x0000000000000000-mapping.dmp

Download
memory/3884-358-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3892-287-0x000000000041E2C0-mapping.dmp

Download
memory/3912-236-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/3912-234-0x0000000000000000-mapping.dmp

Download
memory/3912-235-0x0000000000AA0000-0x0000000000AC7000-memory.dmp

Filesize
156KB

Download
memory/3916-6-0x0000000000000000-mapping.dmp

Download
memory/3916-27-0x0000000001210000-0x00000000012BF000-memory.dmp

Filesize
700KB

Download
memory/3916-196-0x0000000005B60000-0x0000000005BF0000-memory.dmp

Filesize
576KB

Download
memory/3916-8-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3916-7-0x00000000012C0000-0x00000000012C7000-memory.dmp

Filesize
28KB

Download
memory/3936-4-0x000000000041E2C0-mapping.dmp

Download
memory/3940-115-0x0000000000000000-mapping.dmp

Download
memory/3940-341-0x0000000000000000-mapping.dmp

Download
memory/3940-343-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/3940-342-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/3956-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3956-1-0x000000000041E2C0-mapping.dmp

Download
memory/3996-67-0x000000000041E2C0-mapping.dmp

Download
memory/4012-222-0x000000000041E2C0-mapping.dmp

Download
memory/4036-62-0x0000000000000000-mapping.dmp

Download
memory/4040-179-0x000000000041E2C0-mapping.dmp

Download
memory/4092-101-0x000000000041E2C0-mapping.dmp

Download