njrat | 20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

edaf154b94f8808071e089661c89412e
SHA1

31b1c1eefe489f1f348002d5b01870b268b24ca0
SHA256

20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393
SHA512

8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Score

10^/10

njrat hacked by cobra 217 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By CobrA 217

Y29icmFzc3Nzc3Nzc3Nzcy5kZG5zLm5ldAStrikStrik:MTE3Nw==

Mutex

3a080181c5938cd7611a562e79328fc0

Attributes

reg_key
3a080181c5938cd7611a562e79328fc0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Executes dropped EXE 39 IoCs

Processes:

server.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exe

pid	process
3324	server.exe
2884	svchost.exe
312	server.exe
840	svchost.exe
3192	server.exe
1860	svchost.exe
3308	server.exe
924	svchost.exe
1420	server.exe
3500	svchost.exe
2888	server.exe
208	svchost.exe
2372	server.exe
4440	svchost.exe
4988	server.exe
4636	svchost.exe
3464	server.exe
3264	svchost.exe
3000	server.exe
3164	svchost.exe
1604	server.exe
1708	svchost.exe
3516	server.exe
1224	svchost.exe
968	server.exe
1888	svchost.exe
1524	server.exe
4084	svchost.exe
2408	server.exe
1660	svchost.exe
3460	server.exe
1264	svchost.exe
2396	server.exe
548	svchost.exe
4408	server.exe
1572	svchost.exe
2188	server.exe
3060	svchost.exe
3092	server.exe

Modifies Windows Firewall 1 TTPs 58 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3144	netsh.exe
4496	netsh.exe
4748	netsh.exe
1984	netsh.exe
2336	netsh.exe
4052	netsh.exe
2324	netsh.exe
3528	netsh.exe
4240	netsh.exe
3112	netsh.exe
4828	netsh.exe
2420	netsh.exe
2848	netsh.exe
2452	netsh.exe
1364	netsh.exe
1600	netsh.exe
1072	netsh.exe
4228	netsh.exe
432	netsh.exe
3092	netsh.exe
2948	netsh.exe
3808	netsh.exe
1704	netsh.exe
1720	netsh.exe
4060	netsh.exe
840	netsh.exe
5008	netsh.exe
3828	netsh.exe
1744	netsh.exe
2132	netsh.exe
3400	netsh.exe
3720	netsh.exe
4572	netsh.exe
4292	netsh.exe
4808	netsh.exe
4492	netsh.exe
4648	netsh.exe
4336	netsh.exe
4828	netsh.exe
4332	netsh.exe
3156	netsh.exe
1716	netsh.exe
3108	netsh.exe
2072	netsh.exe
3504	netsh.exe
4980	netsh.exe
1572	netsh.exe
4040	netsh.exe
844	netsh.exe
3068	netsh.exe
1280	netsh.exe
4884	netsh.exe
2364	netsh.exe
2296	netsh.exe
4076	netsh.exe
940	netsh.exe
4572	netsh.exe
3532	netsh.exe

Checks computer location settings 2 TTPs 39 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

server.exeserver.exesvchost.exeserver.exeserver.exesvchost.exeserver.exesvchost.exesvchost.exeServer.exeserver.exesvchost.exesvchost.exeserver.exeserver.exesvchost.exesvchost.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exeserver.exeserver.exesvchost.exesvchost.exeserver.exeserver.exeserver.exesvchost.exesvchost.exeserver.exeserver.exesvchost.exesvchost.exesvchost.exesvchost.exeserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 60 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Drops file in System32 directory 20 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 20 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe
3324	server.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exe

pid process

3324 server.exe
312 server.exe
3192 server.exe
1420 server.exe
1604 server.exe
1524 server.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	3324	server.exe
Token: SeDebugPrivilege	312	server.exe
Token: SeDebugPrivilege	3192	server.exe
Token: SeDebugPrivilege	3308	server.exe
Token: SeDebugPrivilege	1420	server.exe
Token: SeDebugPrivilege	2888	server.exe
Token: SeDebugPrivilege	2372	server.exe
Token: SeDebugPrivilege	4988	server.exe
Token: SeDebugPrivilege	3464	server.exe
Token: SeDebugPrivilege	3000	server.exe
Token: SeDebugPrivilege	1604	server.exe
Token: SeDebugPrivilege	3516	server.exe
Token: SeDebugPrivilege	968	server.exe
Token: SeDebugPrivilege	1524	server.exe
Token: SeDebugPrivilege	2408	server.exe
Token: SeDebugPrivilege	3460	server.exe
Token: SeDebugPrivilege	2396	server.exe
Token: SeDebugPrivilege	4408	server.exe
Token: SeDebugPrivilege	2188	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Server.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exe

description	pid	process	target process
PID 4916 wrote to memory of 3324	4916	Server.exe	server.exe
PID 4916 wrote to memory of 3324	4916	Server.exe	server.exe
PID 4916 wrote to memory of 3324	4916	Server.exe	server.exe
PID 3324 wrote to memory of 4332	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 4332	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 4332	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 2848	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 2848	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 2848	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 3532	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 3532	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 3532	3324	server.exe	netsh.exe
PID 3324 wrote to memory of 2884	3324	server.exe	svchost.exe
PID 3324 wrote to memory of 2884	3324	server.exe	svchost.exe
PID 3324 wrote to memory of 2884	3324	server.exe	svchost.exe
PID 2884 wrote to memory of 312	2884	svchost.exe	server.exe
PID 2884 wrote to memory of 312	2884	svchost.exe	server.exe
PID 2884 wrote to memory of 312	2884	svchost.exe	server.exe
PID 312 wrote to memory of 4492	312	server.exe	netsh.exe
PID 312 wrote to memory of 4492	312	server.exe	netsh.exe
PID 312 wrote to memory of 4492	312	server.exe	netsh.exe
PID 312 wrote to memory of 2132	312	server.exe	netsh.exe
PID 312 wrote to memory of 2132	312	server.exe	netsh.exe
PID 312 wrote to memory of 2132	312	server.exe	netsh.exe
PID 312 wrote to memory of 4884	312	server.exe	netsh.exe
PID 312 wrote to memory of 4884	312	server.exe	netsh.exe
PID 312 wrote to memory of 4884	312	server.exe	netsh.exe
PID 312 wrote to memory of 840	312	server.exe	svchost.exe
PID 312 wrote to memory of 840	312	server.exe	svchost.exe
PID 312 wrote to memory of 840	312	server.exe	svchost.exe
PID 840 wrote to memory of 3192	840	svchost.exe	server.exe
PID 840 wrote to memory of 3192	840	svchost.exe	server.exe
PID 840 wrote to memory of 3192	840	svchost.exe	server.exe
PID 3192 wrote to memory of 4076	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 4076	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 4076	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 4648	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 4648	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 4648	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 3808	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 3808	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 3808	3192	server.exe	netsh.exe
PID 3192 wrote to memory of 1860	3192	server.exe	svchost.exe
PID 3192 wrote to memory of 1860	3192	server.exe	svchost.exe
PID 3192 wrote to memory of 1860	3192	server.exe	svchost.exe
PID 1860 wrote to memory of 3308	1860	svchost.exe	server.exe
PID 1860 wrote to memory of 3308	1860	svchost.exe	server.exe
PID 1860 wrote to memory of 3308	1860	svchost.exe	server.exe
PID 3308 wrote to memory of 3108	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 3108	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 3108	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4040	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4040	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4040	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4052	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4052	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 4052	3308	server.exe	netsh.exe
PID 3308 wrote to memory of 924	3308	server.exe	svchost.exe
PID 3308 wrote to memory of 924	3308	server.exe	svchost.exe
PID 3308 wrote to memory of 924	3308	server.exe	svchost.exe
PID 924 wrote to memory of 1420	924	svchost.exe	server.exe
PID 924 wrote to memory of 1420	924	svchost.exe	server.exe
PID 924 wrote to memory of 1420	924	svchost.exe	server.exe
PID 1420 wrote to memory of 4228	1420	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4332

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:2848

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3532

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4492

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
5⤵
- Modifies Windows Firewall
PID:2132

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4884

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:4076

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
7⤵
- Modifies Windows Firewall
PID:4648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:3808

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:3108

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
- Modifies Windows Firewall
PID:4040

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:4052

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:4228

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
- Modifies Windows Firewall
PID:3112

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:3156

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
PID:3500

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
- Modifies Windows Firewall
PID:2296

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
13⤵
- Modifies Windows Firewall
PID:432

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
- Modifies Windows Firewall
PID:2072

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
PID:208

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:4808

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
15⤵
- Modifies Windows Firewall
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:1072

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
PID:4440

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:1984

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
17⤵
- Modifies Windows Firewall
PID:2452

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:2336

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
PID:4636

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
19⤵
- Modifies Windows Firewall
PID:5008

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
19⤵
- Modifies Windows Firewall
PID:3092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
19⤵
- Modifies Windows Firewall
PID:3144

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
19⤵
- Executes dropped EXE
- Checks computer location settings
PID:3264

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
21⤵
- Modifies Windows Firewall
PID:3400

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
21⤵
- Modifies Windows Firewall
PID:3720

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
21⤵
- Modifies Windows Firewall
PID:3504

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
21⤵
- Executes dropped EXE
- Checks computer location settings
PID:3164

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
23⤵
- Modifies Windows Firewall
PID:2948

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
23⤵
- Modifies Windows Firewall
PID:4980

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
23⤵
- Modifies Windows Firewall
PID:4496

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
23⤵
- Executes dropped EXE
- Checks computer location settings
PID:1708

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
25⤵
- Modifies Windows Firewall
PID:844

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
25⤵
- Modifies Windows Firewall
PID:4060

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
25⤵
- Modifies Windows Firewall
PID:4828

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
25⤵
- Executes dropped EXE
- Checks computer location settings
PID:1224

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
26⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
27⤵
- Modifies Windows Firewall
PID:1720

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
27⤵
- Modifies Windows Firewall
PID:1572

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
27⤵
- Modifies Windows Firewall
PID:4240

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
27⤵
- Executes dropped EXE
- Checks computer location settings
PID:1888

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
28⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
29⤵
- Modifies Windows Firewall
PID:3828

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
29⤵
- Modifies Windows Firewall
PID:940

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
29⤵
- Modifies Windows Firewall
PID:4572

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
29⤵
- Executes dropped EXE
- Checks computer location settings
PID:4084

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
30⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
31⤵
- Modifies Windows Firewall
PID:4748

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
31⤵
- Modifies Windows Firewall
PID:3068

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
31⤵
- Modifies Windows Firewall
PID:2324

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
31⤵
- Executes dropped EXE
- Checks computer location settings
PID:1660

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
32⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
33⤵
- Modifies Windows Firewall
PID:4292

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
33⤵
- Modifies Windows Firewall
PID:1280

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
33⤵
- Modifies Windows Firewall
PID:4336

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
33⤵
- Executes dropped EXE
- Checks computer location settings
PID:1264

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
34⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
35⤵
- Modifies Windows Firewall
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
35⤵
- Modifies Windows Firewall
PID:3528

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
35⤵
- Modifies Windows Firewall
PID:2364

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
35⤵
- Executes dropped EXE
- Checks computer location settings
PID:548

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
36⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
37⤵
- Modifies Windows Firewall
PID:4828

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
37⤵
- Modifies Windows Firewall
PID:1364

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
37⤵
- Modifies Windows Firewall
PID:2420

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
37⤵
- Executes dropped EXE
- Checks computer location settings
PID:1572

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
38⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
39⤵
- Modifies Windows Firewall
PID:1744

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
39⤵
- Modifies Windows Firewall
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
39⤵
- Modifies Windows Firewall
PID:4572

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
39⤵
- Executes dropped EXE
- Checks computer location settings
PID:3060

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
40⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
41⤵
- Modifies Windows Firewall
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
memory/208-248-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/208-250-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/208-246-0x0000000000000000-mapping.dmp

Download
memory/312-147-0x0000000000000000-mapping.dmp

Download
memory/312-152-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/312-174-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/432-244-0x0000000000000000-mapping.dmp

Download
memory/840-176-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/840-170-0x0000000000000000-mapping.dmp

Download
memory/840-180-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/840-253-0x0000000000000000-mapping.dmp

Download
memory/844-297-0x0000000000000000-mapping.dmp

Download
memory/924-228-0x0000000000000000-mapping.dmp

Download
memory/924-230-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/924-232-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/968-303-0x0000000000000000-mapping.dmp

Download
memory/968-309-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/968-305-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1072-254-0x0000000000000000-mapping.dmp

Download
memory/1224-300-0x0000000000000000-mapping.dmp

Download
memory/1224-304-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1224-302-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1420-231-0x0000000000000000-mapping.dmp

Download
memory/1420-238-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1420-233-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1524-312-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1524-313-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1572-307-0x0000000000000000-mapping.dmp

Download
memory/1604-287-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1604-292-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1604-285-0x0000000000000000-mapping.dmp

Download
memory/1660-318-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1660-319-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1708-291-0x0000000000000000-mapping.dmp

Download
memory/1708-295-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1708-293-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1720-306-0x0000000000000000-mapping.dmp

Download
memory/1860-200-0x0000000000000000-mapping.dmp

Download
memory/1860-205-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1860-209-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1888-311-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1888-310-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/1984-261-0x0000000000000000-mapping.dmp

Download
memory/2072-245-0x0000000000000000-mapping.dmp

Download
memory/2132-167-0x0000000000000000-mapping.dmp

Download
memory/2296-243-0x0000000000000000-mapping.dmp

Download
memory/2336-263-0x0000000000000000-mapping.dmp

Download
memory/2372-256-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2372-251-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2372-249-0x0000000000000000-mapping.dmp

Download
memory/2408-315-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2408-317-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2452-262-0x0000000000000000-mapping.dmp

Download
memory/2848-139-0x0000000000000000-mapping.dmp

Download
memory/2884-146-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2884-141-0x0000000000000000-mapping.dmp

Download
memory/2884-150-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2888-247-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2888-240-0x0000000000000000-mapping.dmp

Download
memory/2888-242-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/2948-288-0x0000000000000000-mapping.dmp

Download
memory/3000-283-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3000-276-0x0000000000000000-mapping.dmp

Download
memory/3000-278-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3092-271-0x0000000000000000-mapping.dmp

Download
memory/3108-212-0x0000000000000000-mapping.dmp

Download
memory/3112-235-0x0000000000000000-mapping.dmp

Download
memory/3144-272-0x0000000000000000-mapping.dmp

Download
memory/3156-236-0x0000000000000000-mapping.dmp

Download
memory/3164-282-0x0000000000000000-mapping.dmp

Download
memory/3164-284-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3164-286-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3192-203-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3192-181-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3192-177-0x0000000000000000-mapping.dmp

Download
memory/3264-275-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3264-273-0x0000000000000000-mapping.dmp

Download
memory/3264-277-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3308-211-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3308-206-0x0000000000000000-mapping.dmp

Download
memory/3308-229-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3324-137-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3324-144-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3324-131-0x0000000000000000-mapping.dmp

Download
memory/3400-279-0x0000000000000000-mapping.dmp

Download
memory/3460-321-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3460-320-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3464-267-0x0000000000000000-mapping.dmp

Download
memory/3464-274-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3464-269-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3500-237-0x0000000000000000-mapping.dmp

Download
memory/3500-241-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3500-239-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3504-281-0x0000000000000000-mapping.dmp

Download
memory/3516-296-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3516-294-0x0000000000000000-mapping.dmp

Download
memory/3516-301-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/3532-140-0x0000000000000000-mapping.dmp

Download
memory/3720-280-0x0000000000000000-mapping.dmp

Download
memory/3808-198-0x0000000000000000-mapping.dmp

Download
memory/4040-226-0x0000000000000000-mapping.dmp

Download
memory/4052-227-0x0000000000000000-mapping.dmp

Download
memory/4060-298-0x0000000000000000-mapping.dmp

Download
memory/4076-183-0x0000000000000000-mapping.dmp

Download
memory/4084-314-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4084-316-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4228-234-0x0000000000000000-mapping.dmp

Download
memory/4240-308-0x0000000000000000-mapping.dmp

Download
memory/4332-138-0x0000000000000000-mapping.dmp

Download
memory/4440-255-0x0000000000000000-mapping.dmp

Download
memory/4440-257-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4440-259-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4492-153-0x0000000000000000-mapping.dmp

Download
memory/4496-290-0x0000000000000000-mapping.dmp

Download
memory/4636-264-0x0000000000000000-mapping.dmp

Download
memory/4636-266-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4636-268-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4648-197-0x0000000000000000-mapping.dmp

Download
memory/4808-252-0x0000000000000000-mapping.dmp

Download
memory/4828-299-0x0000000000000000-mapping.dmp

Download
memory/4884-168-0x0000000000000000-mapping.dmp

Download
memory/4916-130-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4916-135-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4980-289-0x0000000000000000-mapping.dmp

Download
memory/4988-258-0x0000000000000000-mapping.dmp

Download
memory/4988-265-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4988-260-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/5008-270-0x0000000000000000-mapping.dmp

Download