nanocore | a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae

Analysis

max time kernel
12s
max time network
73s
platform
windows10_x64
resource
win10v20210408
submitted
23-06-2021 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
Size

1.1MB
MD5

aa4c23269c9b3026cf16225badbf7d5f
SHA1

78247b69edd8cf0bdc064fcae5ab31470c62ab3a
SHA256

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e
SHA512

c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c

Score

10^/10

nanocore netwire wshrat botnet evasion keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

netwire

donphilongz.org:5005

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
uTGwFNvi
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1508-137-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral2/memory/4056-149-0x0000000000500000-0x00000000005AE000-memory.dmp	netwire
behavioral2/memory/192-177-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral2/memory/2560-221-0x0000000000500000-0x00000000005AE000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Executes dropped EXE 31 IoCs

Processes:

syststemfile.exesystemfiles.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exesystemstability.exesystemstability.exeHost.exewscript.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exeHost.exesystemefile.exenotepad.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

pid	process
2996	syststemfile.exe
2720	systemfiles.exe
3588	systemefile.exe
1508	systemefile.exe
1796	systemstability.exe
496	systemefile.exe
2120	systemstability.exe
4056	systemstability.exe
2552	Host.exe
3796	wscript.exe
1420	systemefile.exe
192	systemefile.exe
2096	systemefile.exe
3832	systemefile.exe
2324	systemefile.exe
2476	systemefile.exe
4088	systemefile.exe
2300	systemefile.exe
3032	systemefile.exe
4088	systemefile.exe
2560	systemefile.exe
3340	systemefile.exe
2776	systemefile.exe
1932	systemefile.exe
200	Host.exe
2812	systemefile.exe
796	notepad.exe
3836	systemefile.exe
3796	systemefile.exe
1976	systemefile.exe
3840	systemefile.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2120-145-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Drops startup file 8 IoCs

Processes:

wscript.exewscript.exenotepad.exenotepad.exesystemefile.exenotepad.exeWScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfQEWRrrdw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfQEWRrrdw.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemstability.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	WScript.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exeWScript.exesystemefile.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	systemefile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\appdata\\systemefile.exe"	systemefile.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

systemstability.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemstability.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemstability.exe

flow	ioc
16	ip-api.com

Suspicious use of SetThreadContext 10 IoCs

Processes:

systemefile.exesystemstability.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

description	pid	process	target process
PID 3588 set thread context of 1508	3588	systemefile.exe	systemefile.exe
PID 1796 set thread context of 2120	1796	systemstability.exe	systemstability.exe
PID 3796 set thread context of 192	3796	systemefile.exe	systemefile.exe
PID 1420 set thread context of 3832	1420	systemefile.exe	systemefile.exe
PID 2476 set thread context of 4088	2476	systemefile.exe	systemefile.exe
PID 3032 set thread context of 4088	3032	systemefile.exe	systemefile.exe
PID 3340 set thread context of 2776	3340	systemefile.exe	systemefile.exe
PID 2812 set thread context of 796	2812	systemefile.exe	notepad.exe
PID 3796 set thread context of 3840	3796	systemefile.exe	systemefile.exe
PID 1976 set thread context of 2264	1976	systemefile.exe	systemefile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe

NTFS ADS 4 IoCs

Processes:

notepad.exesystemefile.exenotepad.exenotepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	24	WSHRAT\|3ED10BF6\|GFBFPSXA\|Admin\|Microsoft Windows 10 Enterprise\|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

syststemfile.exesystemfiles.exesystemefile.exesystemstability.exesystemefile.exesystemstability.exeHost.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

pid	process
2996	syststemfile.exe
2996	syststemfile.exe
2720	systemfiles.exe
2720	systemfiles.exe
3588	systemefile.exe
3588	systemefile.exe
1796	systemstability.exe
1796	systemstability.exe
496	systemefile.exe
496	systemefile.exe
496	systemefile.exe
496	systemefile.exe
496	systemefile.exe
496	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
4056	systemstability.exe
4056	systemstability.exe
496	systemefile.exe
496	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2552	Host.exe
2552	Host.exe
496	systemefile.exe
496	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
3796	systemefile.exe
3796	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
4056	systemstability.exe
4056	systemstability.exe
1420	systemefile.exe
1420	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2096	systemefile.exe
2096	systemefile.exe
2096	systemefile.exe
2096	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2096	systemefile.exe
2096	systemefile.exe
2324	systemefile.exe
2324	systemefile.exe
2324	systemefile.exe
2324	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2096	systemefile.exe
2096	systemefile.exe
2476	systemefile.exe
2476	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2096	systemefile.exe
2096	systemefile.exe
4056	systemstability.exe
4056	systemstability.exe
2096	systemefile.exe
2096	systemefile.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

systemefile.exesystemstability.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

pid	process
3588	systemefile.exe
1796	systemstability.exe
3796	systemefile.exe
1420	systemefile.exe
2476	systemefile.exe
3032	systemefile.exe
3340	systemefile.exe
2812	systemefile.exe
3796	systemefile.exe
1976	systemefile.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

systemstability.exe

description pid process

Token: SeDebugPrivilege 2120 systemstability.exe

description	pid	process
Token: SeDebugPrivilege	2120	systemstability.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exesyststemfile.exesystemfiles.exenotepad.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exeHost.exesystemefile.exesystemefile.exenotepad.exesystemefile.exesystemefile.exe

description	pid	process	target process
PID 568 wrote to memory of 2996	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 568 wrote to memory of 2996	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 568 wrote to memory of 2996	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 2996 wrote to memory of 3172	2996	syststemfile.exe	notepad.exe
PID 2996 wrote to memory of 3172	2996	syststemfile.exe	notepad.exe
PID 2996 wrote to memory of 3172	2996	syststemfile.exe	notepad.exe
PID 2996 wrote to memory of 3172	2996	syststemfile.exe	notepad.exe
PID 2996 wrote to memory of 3172	2996	syststemfile.exe	notepad.exe
PID 568 wrote to memory of 2720	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 568 wrote to memory of 2720	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 568 wrote to memory of 2720	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 2720 wrote to memory of 192	2720	systemfiles.exe	notepad.exe
PID 2720 wrote to memory of 192	2720	systemfiles.exe	notepad.exe
PID 2720 wrote to memory of 192	2720	systemfiles.exe	notepad.exe
PID 3172 wrote to memory of 3588	3172	notepad.exe	systemefile.exe
PID 3172 wrote to memory of 3588	3172	notepad.exe	systemefile.exe
PID 3172 wrote to memory of 3588	3172	notepad.exe	systemefile.exe
PID 2720 wrote to memory of 192	2720	systemfiles.exe	notepad.exe
PID 2720 wrote to memory of 192	2720	systemfiles.exe	notepad.exe
PID 192 wrote to memory of 1796	192	systemefile.exe	systemstability.exe
PID 192 wrote to memory of 1796	192	systemefile.exe	systemstability.exe
PID 192 wrote to memory of 1796	192	systemefile.exe	systemstability.exe
PID 3588 wrote to memory of 1508	3588	systemefile.exe	systemefile.exe
PID 3588 wrote to memory of 1508	3588	systemefile.exe	systemefile.exe
PID 3588 wrote to memory of 1508	3588	systemefile.exe	systemefile.exe
PID 568 wrote to memory of 972	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 568 wrote to memory of 972	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 568 wrote to memory of 972	568	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 3588 wrote to memory of 496	3588	systemefile.exe	systemefile.exe
PID 3588 wrote to memory of 496	3588	systemefile.exe	systemefile.exe
PID 3588 wrote to memory of 496	3588	systemefile.exe	systemefile.exe
PID 1796 wrote to memory of 2120	1796	systemstability.exe	systemstability.exe
PID 1796 wrote to memory of 2120	1796	systemstability.exe	systemstability.exe
PID 1796 wrote to memory of 2120	1796	systemstability.exe	systemstability.exe
PID 1796 wrote to memory of 4056	1796	systemstability.exe	systemstability.exe
PID 1796 wrote to memory of 4056	1796	systemstability.exe	systemstability.exe
PID 1796 wrote to memory of 4056	1796	systemstability.exe	systemstability.exe
PID 1508 wrote to memory of 2552	1508	systemefile.exe	Host.exe
PID 1508 wrote to memory of 2552	1508	systemefile.exe	Host.exe
PID 1508 wrote to memory of 2552	1508	systemefile.exe	Host.exe
PID 2552 wrote to memory of 2856	2552	Host.exe	notepad.exe
PID 2552 wrote to memory of 2856	2552	Host.exe	notepad.exe
PID 2552 wrote to memory of 2856	2552	Host.exe	notepad.exe
PID 2552 wrote to memory of 2856	2552	Host.exe	notepad.exe
PID 2552 wrote to memory of 2856	2552	Host.exe	notepad.exe
PID 496 wrote to memory of 3796	496	systemefile.exe	wscript.exe
PID 496 wrote to memory of 3796	496	systemefile.exe	wscript.exe
PID 496 wrote to memory of 3796	496	systemefile.exe	wscript.exe
PID 3796 wrote to memory of 192	3796	systemefile.exe	systemefile.exe
PID 3796 wrote to memory of 192	3796	systemefile.exe	systemefile.exe
PID 3796 wrote to memory of 192	3796	systemefile.exe	systemefile.exe
PID 2856 wrote to memory of 1420	2856	notepad.exe	systemefile.exe
PID 2856 wrote to memory of 1420	2856	notepad.exe	systemefile.exe
PID 2856 wrote to memory of 1420	2856	notepad.exe	systemefile.exe
PID 3796 wrote to memory of 2096	3796	systemefile.exe	systemefile.exe
PID 3796 wrote to memory of 2096	3796	systemefile.exe	systemefile.exe
PID 3796 wrote to memory of 2096	3796	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 3832	1420	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 3832	1420	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 3832	1420	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 2324	1420	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 2324	1420	systemefile.exe	systemefile.exe
PID 1420 wrote to memory of 2324	1420	systemefile.exe	systemefile.exe
PID 2324 wrote to memory of 2476	2324	systemefile.exe	systemefile.exe

C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
7⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3832 259295421
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2476

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4088 259295875
11⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3032

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4088 259296890
13⤵
- Executes dropped EXE
PID:2560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:3340

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
- Executes dropped EXE
PID:2776

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
- Executes dropped EXE
PID:200

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
17⤵
- Drops startup file
- NTFS ADS
PID:1580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3840 259299750
19⤵
PID:4032

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:3904

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2856

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2856 259300484
21⤵
PID:2720

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:3840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2776 259298250
15⤵
PID:1932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 796 259299000
17⤵
PID:3836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:1976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2264

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2264 259299796
19⤵
PID:3520

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:1684

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2844

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2844 259300156
21⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:1380

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1380 259300593
23⤵
PID:2112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4164

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4164 259308734
12⤵
PID:4772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1508 259294015
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:3796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 192 259295171
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:192

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4804 259308281
4⤵
PID:4244

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:192

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe" 2 2120 259294328
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2228

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:632

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 632 259300921
4⤵
- Executes dropped EXE
PID:3836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1808

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:4076

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
7⤵
PID:4024

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
8⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2264

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:1592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
11⤵
PID:1976

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
12⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4076

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2172

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
15⤵
PID:4364

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:4492

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2172 259303687
14⤵
PID:2036

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4732

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4280 259305406
16⤵
PID:3000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3840 259308281
18⤵
PID:4476

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4280

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
17⤵
PID:4948

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
18⤵
PID:4976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:4524

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4940 259308500
20⤵
PID:4168

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:4940

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1592 259302796
10⤵
PID:4024

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1984

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
13⤵
PID:4356

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:4516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4276 259305375
16⤵
PID:4136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:5116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:4256

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4256 259307859
18⤵
PID:4596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4276

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
17⤵
PID:4528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1984 259303406
12⤵
PID:2444

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4588

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4976

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
15⤵
PID:4632

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:4864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4976 259304906
14⤵
PID:5052

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4644

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:5008

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4076 259302203
6⤵
PID:1220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1124

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
9⤵
PID:4340

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
10⤵
PID:4476

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1964 259302609
8⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:4580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:4964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
11⤵
PID:4112

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
12⤵
PID:4204

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
12⤵
PID:4348

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3796 259308968
14⤵
PID:4848

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4964 259304906
10⤵
PID:5044

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
13⤵
PID:5296

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:5416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:5560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4964 259307734
12⤵
PID:5064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js"
2⤵
- Drops startup file
- Adds Run key to start application
PID:972

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\systemfiles878.js"
3⤵
- Drops startup file
- Adds Run key to start application
PID:2100

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
4⤵
- Executes dropped EXE
PID:3796

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
3⤵
- Drops startup file
- Adds Run key to start application
PID:2900

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4024 259301015
1⤵
PID:660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:3920

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:3560

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2036

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:1512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1504

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:2228

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:1792

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4128

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
PID:4392

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
13⤵
PID:4616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4248 259305515
15⤵
PID:4220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:5040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4204 259308296
17⤵
PID:4180

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:4236

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4248

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
PID:4908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4128 259303859
11⤵
PID:4148

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4708

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:5012

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:4892

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:2312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4120

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4992

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4992 259307359
17⤵
PID:4260

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5012 259304968
13⤵
PID:5104

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1504 259303000
7⤵
PID:3692

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3340

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3024

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:4348

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:4500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3024 259303546
9⤵
PID:2784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:4468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3560 259302328
3⤵
PID:3796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:1984

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1804

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
PID:1600

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
7⤵
PID:3796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1504

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:4024

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:4332

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:4460

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4640

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4956 259304875
13⤵
PID:5020

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
PID:1860

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
17⤵
PID:3520

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:4348

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:4924

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4924 259310156
19⤵
PID:4488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4832 259306265
15⤵
PID:2148

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4216 259310218
17⤵
PID:4484

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4216

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4956

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:4100

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:4600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
18⤵
PID:5040

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
19⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:4484

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4272 259309875
21⤵
PID:2856

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:4272

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4592 259306375
17⤵
PID:4796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:4900

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4812 259309937
19⤵
PID:4580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:4812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4024 259303593
9⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:4548

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4752 259304640
11⤵
PID:4816

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4144

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4144 259308953
13⤵
PID:4176

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4752

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
PID:4420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1804 259302781
5⤵
PID:1932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:3560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1804 259303406
7⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:4484

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4740 259304640
9⤵
PID:4804

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:4120

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4500 259306078
11⤵
PID:4516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:4740

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:4388

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:4324

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4556

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:4152

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:4600

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:4224

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:4112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:4776

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4776 259309906
17⤵
PID:4728

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4152 259306187
13⤵
PID:4572

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4700

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4496

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4496 259309578
15⤵
PID:4196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4316 259307218
11⤵
PID:4408

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:4316

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1804

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:4324

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:4508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:4724

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:5000

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
PID:4640

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
13⤵
PID:1932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:4524

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:4676

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4676 259307375
15⤵
PID:5068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5000 259304937
11⤵
PID:5088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:4828

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4024

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2540

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4696

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:4112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4684

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4984

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
PID:4920

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
4⤵
PID:4744

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:5020

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:4680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4680 259307406
6⤵
PID:4920

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4984 259304937
2⤵
PID:5068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:4784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4340 259306921
4⤵
PID:4140

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:4340

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4676

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4992

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
PID:4660

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
4⤵
PID:4864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:4956

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:5012

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5012 259307359
6⤵
PID:1656

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:4128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:1220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1220 259308531
6⤵
PID:4968

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4992 259304937
2⤵
PID:5080

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:4804

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:5076

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5076 259307234
4⤵
PID:1592

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4948 259304890
2⤵
PID:5028

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:4624

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1600 259307625
4⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:5280

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:5400

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5400 259311187
6⤵
PID:5424

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:1600

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
PID:4844

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:5156

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:5268

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:5352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5352 259311109
8⤵
PID:5364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4948

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
PID:4176

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
4⤵
PID:4996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:3172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4696 259304593
1⤵
PID:4764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4344 259308718
3⤵
PID:4428

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:4344

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:5568

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1120 259307218
1⤵
PID:4416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:1120

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4452

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4508 259308328
2⤵
PID:4528

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:5092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:4644

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5008 259307875
2⤵
PID:4944

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4336 259309171
2⤵
PID:4312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:4336

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2300

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4480

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4452 259307906
1⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs
MD5
6b17a5baf42e2eced60b40326f06d539

SHA1
7e9f1a9d9f83e89cea6eb1442c2a70dfaa9d94a3

SHA256
4dcd87ba10ee62cea3f021b7d91ed36240e9c64d3218bfaf942e1677695cc411

SHA512
13a02f02088552997c07545fae4d2f0f35490398cc5e46e662c4041bdd905cd65b2e00dd957e369f31d6e020d38978ed3ca9525529c0782badf742a6b00ea651

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js
MD5
45f5c927b03df5996b42c0eab0e0f7c7

SHA1
a6e990d3c7bc1e94a1c8fd96674ba818f7e0b83e

SHA256
4fe7a0c1b20ae55003849f7de12b0756434b956676d02fbff06daa9c8d85b0f5

SHA512
4716fc8e7485698d9c4c6c6a52c64fef13e737a935ed4d9fb84e31c1e3a403d6f21cfc64f4910e7bbd38275ecafa15a456044ab68f3471d722585decf04077e9

Download Submit
C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js
MD5
45f5c927b03df5996b42c0eab0e0f7c7

SHA1
a6e990d3c7bc1e94a1c8fd96674ba818f7e0b83e

SHA256
4fe7a0c1b20ae55003849f7de12b0756434b956676d02fbff06daa9c8d85b0f5

SHA512
4716fc8e7485698d9c4c6c6a52c64fef13e737a935ed4d9fb84e31c1e3a403d6f21cfc64f4910e7bbd38275ecafa15a456044ab68f3471d722585decf04077e9

Download Submit
memory/192-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/192-170-0x000000000040242D-mapping.dmp

Download
memory/192-121-0x0000000000000000-mapping.dmp

Download
memory/200-257-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/200-243-0x0000000000000000-mapping.dmp

Download
memory/496-130-0x0000000000000000-mapping.dmp

Download
memory/496-143-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/496-208-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/632-291-0x000000000040242D-mapping.dmp

Download
memory/660-296-0x0000000000000000-mapping.dmp

Download
memory/796-248-0x000000000040242D-mapping.dmp

Download
memory/972-128-0x0000000000000000-mapping.dmp

Download
memory/1220-302-0x0000000000000000-mapping.dmp

Download
memory/1380-282-0x000000000040242D-mapping.dmp

Download
memory/1420-195-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1420-168-0x0000000000000000-mapping.dmp

Download
memory/1420-180-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/1508-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1508-126-0x000000000040242D-mapping.dmp

Download
memory/1580-245-0x0000000000000000-mapping.dmp

Download
memory/1684-269-0x0000000000000000-mapping.dmp

Download
memory/1796-136-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/1796-141-0x00000000005D0000-0x000000000071A000-memory.dmp

Filesize
1.3MB

Download
memory/1796-125-0x0000000000000000-mapping.dmp

Download
memory/1808-298-0x0000000000000000-mapping.dmp

Download
memory/1932-241-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/1932-234-0x0000000000000000-mapping.dmp

Download
memory/1932-242-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1932-240-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1976-254-0x0000000000000000-mapping.dmp

Download
memory/2096-204-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2096-183-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2096-174-0x0000000000000000-mapping.dmp

Download
memory/2100-207-0x0000000000000000-mapping.dmp

Download
memory/2112-284-0x0000000000000000-mapping.dmp

Download
memory/2120-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2120-138-0x000000000047D4A0-mapping.dmp

Download
memory/2120-186-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2152-277-0x0000000000000000-mapping.dmp

Download
memory/2228-287-0x0000000000000000-mapping.dmp

Download
memory/2264-260-0x000000000040242D-mapping.dmp

Download
memory/2300-201-0x0000000000000000-mapping.dmp

Download
memory/2300-226-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2300-220-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2324-184-0x0000000000000000-mapping.dmp

Download
memory/2324-192-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2324-190-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/2476-191-0x0000000000000000-mapping.dmp

Download
memory/2476-200-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2476-196-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2540-288-0x0000000000000000-mapping.dmp

Download
memory/2552-153-0x0000000000000000-mapping.dmp

Download
memory/2552-159-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2552-163-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2560-221-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/2560-215-0x0000000000000000-mapping.dmp

Download
memory/2560-223-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/2560-239-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2720-156-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2720-280-0x0000000000000000-mapping.dmp

Download
memory/2720-152-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2720-118-0x0000000000000000-mapping.dmp

Download
memory/2776-231-0x000000000040242D-mapping.dmp

Download
memory/2812-246-0x0000000000000000-mapping.dmp

Download
memory/2844-271-0x000000000040242D-mapping.dmp

Download
memory/2856-160-0x0000000000000000-mapping.dmp

Download
memory/2856-279-0x000000000040242D-mapping.dmp

Download
memory/2900-197-0x0000000000000000-mapping.dmp

Download
memory/2996-127-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2996-114-0x0000000000000000-mapping.dmp

Download
memory/2996-134-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2996-273-0x0000000000000000-mapping.dmp

Download
memory/2996-133-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/3032-236-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3032-230-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3032-209-0x0000000000000000-mapping.dmp

Download
memory/3172-147-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3172-117-0x0000000000000000-mapping.dmp

Download
memory/3340-222-0x0000000000000000-mapping.dmp

Download
memory/3340-227-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/3340-229-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3520-262-0x0000000000000000-mapping.dmp

Download
memory/3560-303-0x000000000040242D-mapping.dmp

Download
memory/3588-206-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3588-122-0x0000000000000000-mapping.dmp

Download
memory/3588-166-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3796-169-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/3796-172-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/3796-304-0x0000000000000000-mapping.dmp

Download
memory/3796-217-0x0000000000000000-mapping.dmp

Download
memory/3796-253-0x0000000000000000-mapping.dmp

Download
memory/3796-162-0x0000000000000000-mapping.dmp

Download
memory/3796-258-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/3796-178-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3832-182-0x000000000040242D-mapping.dmp

Download
memory/3836-250-0x0000000000000000-mapping.dmp

Download
memory/3836-293-0x0000000000000000-mapping.dmp

Download
memory/3840-259-0x000000000040242D-mapping.dmp

Download
memory/3904-275-0x0000000000000000-mapping.dmp

Download
memory/3920-300-0x0000000000000000-mapping.dmp

Download
memory/4024-295-0x000000000040242D-mapping.dmp

Download
memory/4024-305-0x0000000000000000-mapping.dmp

Download
memory/4032-261-0x0000000000000000-mapping.dmp

Download
memory/4056-150-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/4056-149-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/4056-140-0x0000000000000000-mapping.dmp

Download
memory/4056-151-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/4076-301-0x000000000040242D-mapping.dmp

Download
memory/4088-198-0x000000000040242D-mapping.dmp

Download
memory/4088-214-0x000000000040242D-mapping.dmp

Download