4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

Analysis

max time kernel
159s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
Size

422KB
MD5

6b32d61d63952184bd5333fe13319fe0
SHA1

f478f373bbca84edfe3d030a0255608fd48169ff
SHA256

4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb
SHA512

0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28
SSDEEP

6144:FL5L00kAaEGd9ZXDDHP4Kv9JAASWX37/Gv7VPCtC4XUPoB6trJ5k8MOWqjdq:j7kATGd9ZTDHwKvXF4EtC4gqKJWmWmdq

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3836	Microsoft.exe
2136	Microsoft.exe
3616	Microsoft.exe
3896	Microsoft.exe
2940	Microsoft.exe
3852	Microsoft.exe
3020	Microsoft.exe
2656	Microsoft.exe
2028	Microsoft.exe
4056	Microsoft.exe
4844	Microsoft.exe
712	Microsoft.exe
4512	Microsoft.exe
4616	Microsoft.exe
2380	Microsoft.exe
5024	Microsoft.exe
3448	Microsoft.exe
2436	Microsoft.exe
4796	Microsoft.exe
4188	Microsoft.exe
3640	Microsoft.exe
2764	Microsoft.exe
1804	Microsoft.exe
2368	Microsoft.exe
584	Microsoft.exe
4364	Microsoft.exe
1660	Microsoft.exe
4224	Microsoft.exe
5052	Microsoft.exe
2256	Microsoft.exe
3416	Microsoft.exe
1892	Microsoft.exe
2316	Microsoft.exe
32	Microsoft.exe
3700	Microsoft.exe
4484	Microsoft.exe
4952	Microsoft.exe
3384	Microsoft.exe
1472	Microsoft.exe
3344	Microsoft.exe
4072	Microsoft.exe
4544	Microsoft.exe
4416	Microsoft.exe
4780	Microsoft.exe
1856	Microsoft.exe
1712	Microsoft.exe
4348	Microsoft.exe
2980	Microsoft.exe
412	Microsoft.exe
4368	Microsoft.exe
1108	Microsoft.exe
800	Microsoft.exe
3412	Microsoft.exe
1652	Microsoft.exe
4560	Microsoft.exe
3284	Microsoft.exe
3340	Microsoft.exe
4972	Microsoft.exe
1156	Microsoft.exe
3380	Microsoft.exe
3036	Microsoft.exe
1964	Microsoft.exe
236	Microsoft.exe
1064	Microsoft.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Microsoft.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File created	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	Microsoft.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 set thread context of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2652 set thread context of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 3836 set thread context of 2136	3836	Microsoft.exe	85
PID 3836 set thread context of 3616	3836	Microsoft.exe	86
PID 2136 set thread context of 3896	2136	Microsoft.exe	87
PID 2940 set thread context of 3852	2940	Microsoft.exe	89
PID 2940 set thread context of 3020	2940	Microsoft.exe	90
PID 3852 set thread context of 2656	3852	Microsoft.exe	91
PID 2028 set thread context of 4056	2028	Microsoft.exe	93
PID 2028 set thread context of 4844	2028	Microsoft.exe	94
PID 4056 set thread context of 712	4056	Microsoft.exe	95
PID 4512 set thread context of 4616	4512	Microsoft.exe	97
PID 4512 set thread context of 2380	4512	Microsoft.exe	98
PID 4616 set thread context of 5024	4616	Microsoft.exe	99
PID 3448 set thread context of 2436	3448	Microsoft.exe	101
PID 3448 set thread context of 4796	3448	Microsoft.exe	102
PID 2436 set thread context of 4188	2436	Microsoft.exe	103
PID 3640 set thread context of 2764	3640	Microsoft.exe	107
PID 3640 set thread context of 1804	3640	Microsoft.exe	108
PID 2764 set thread context of 2368	2764	Microsoft.exe	109
PID 584 set thread context of 4364	584	Microsoft.exe	111
PID 584 set thread context of 1660	584	Microsoft.exe	112
PID 4364 set thread context of 4224	4364	Microsoft.exe	113
PID 5052 set thread context of 2256	5052	Microsoft.exe	115
PID 5052 set thread context of 3416	5052	Microsoft.exe	118
PID 2256 set thread context of 1892	2256	Microsoft.exe	119
PID 2316 set thread context of 32	2316	Microsoft.exe	121
PID 2316 set thread context of 3700	2316	Microsoft.exe	123
PID 32 set thread context of 4484	32	Microsoft.exe	124
PID 4952 set thread context of 3384	4952	Microsoft.exe	126
PID 4952 set thread context of 1472	4952	Microsoft.exe	127
PID 3384 set thread context of 3344	3384	Microsoft.exe	128
PID 4072 set thread context of 4544	4072	Microsoft.exe	130
PID 4072 set thread context of 4416	4072	Microsoft.exe	131
PID 4544 set thread context of 4780	4544	Microsoft.exe	132
PID 1856 set thread context of 1712	1856	Microsoft.exe	134
PID 1856 set thread context of 4348	1856	Microsoft.exe	135
PID 1712 set thread context of 2980	1712	Microsoft.exe	136
PID 412 set thread context of 4368	412	Microsoft.exe	139
PID 412 set thread context of 1108	412	Microsoft.exe	140
PID 4368 set thread context of 800	4368	Microsoft.exe	141
PID 3412 set thread context of 1652	3412	Microsoft.exe	144
PID 3412 set thread context of 4560	3412	Microsoft.exe	145
PID 1652 set thread context of 3284	1652	Microsoft.exe	146
PID 3340 set thread context of 4972	3340	Microsoft.exe	149
PID 3340 set thread context of 1156	3340	Microsoft.exe	150
PID 4972 set thread context of 3380	4972	Microsoft.exe	151
PID 3036 set thread context of 1964	3036	Microsoft.exe	153
PID 3036 set thread context of 236	3036	Microsoft.exe	154
PID 1964 set thread context of 1064	1964	Microsoft.exe	155
PID 392 set thread context of 3900	392	Microsoft.exe	157
PID 392 set thread context of 2512	392	Microsoft.exe	158
PID 3900 set thread context of 2028	3900	Microsoft.exe	159
PID 1984 set thread context of 1768	1984	Microsoft.exe	161
PID 1984 set thread context of 2032	1984	Microsoft.exe	162
PID 1768 set thread context of 740	1768	Microsoft.exe	163
PID 3840 set thread context of 4228	3840	Microsoft.exe	165
PID 3840 set thread context of 3844	3840	Microsoft.exe	166
PID 4228 set thread context of 4920	4228	Microsoft.exe	167
PID 3820 set thread context of 5008	3820	Microsoft.exe	169
PID 3820 set thread context of 2692	3820	Microsoft.exe	170
PID 5008 set thread context of 1456	5008	Microsoft.exe	171
PID 5088 set thread context of 600	5088	Microsoft.exe	173

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Microsoft.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
3896	Microsoft.exe
3896	Microsoft.exe
2656	Microsoft.exe
2656	Microsoft.exe
712	Microsoft.exe
712	Microsoft.exe
5024	Microsoft.exe
5024	Microsoft.exe
4188	Microsoft.exe
4188	Microsoft.exe
2368	Microsoft.exe
2368	Microsoft.exe
4224	Microsoft.exe
4224	Microsoft.exe
1892	Microsoft.exe
1892	Microsoft.exe
4484	Microsoft.exe
4484	Microsoft.exe
3344	Microsoft.exe
3344	Microsoft.exe
4780	Microsoft.exe
4780	Microsoft.exe
2980	Microsoft.exe
2980	Microsoft.exe
800	Microsoft.exe
800	Microsoft.exe
3284	Microsoft.exe
3284	Microsoft.exe
3380	Microsoft.exe
3380	Microsoft.exe
1064	Microsoft.exe
1064	Microsoft.exe
2028	Microsoft.exe
2028	Microsoft.exe
740	Microsoft.exe
740	Microsoft.exe
4920	Microsoft.exe
4920	Microsoft.exe
1456	Microsoft.exe
1456	Microsoft.exe
1148	Microsoft.exe
1148	Microsoft.exe
3904	Microsoft.exe
3904	Microsoft.exe
3400	Microsoft.exe
3400	Microsoft.exe
3036	Microsoft.exe
3036	Microsoft.exe
4756	Microsoft.exe
4756	Microsoft.exe
1228	Microsoft.exe
1228	Microsoft.exe
2180	Microsoft.exe
2180	Microsoft.exe
5068	Microsoft.exe
5068	Microsoft.exe
3312	Microsoft.exe
3312	Microsoft.exe
4552	Microsoft.exe
4552	Microsoft.exe
1072	Microsoft.exe
1072	Microsoft.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
Token: SeDebugPrivilege	500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
Token: SeDebugPrivilege	3896	Microsoft.exe
Token: SeDebugPrivilege	3896	Microsoft.exe
Token: SeDebugPrivilege	2656	Microsoft.exe
Token: SeDebugPrivilege	2656	Microsoft.exe
Token: SeDebugPrivilege	712	Microsoft.exe
Token: SeDebugPrivilege	712	Microsoft.exe
Token: SeDebugPrivilege	5024	Microsoft.exe
Token: SeDebugPrivilege	5024	Microsoft.exe
Token: SeDebugPrivilege	4188	Microsoft.exe
Token: SeDebugPrivilege	4188	Microsoft.exe
Token: SeDebugPrivilege	2368	Microsoft.exe
Token: SeDebugPrivilege	2368	Microsoft.exe
Token: SeDebugPrivilege	4224	Microsoft.exe
Token: SeDebugPrivilege	4224	Microsoft.exe
Token: SeDebugPrivilege	1892	Microsoft.exe
Token: SeDebugPrivilege	1892	Microsoft.exe
Token: SeDebugPrivilege	4484	Microsoft.exe
Token: SeDebugPrivilege	4484	Microsoft.exe
Token: SeDebugPrivilege	3344	Microsoft.exe
Token: SeDebugPrivilege	3344	Microsoft.exe
Token: SeDebugPrivilege	4780	Microsoft.exe
Token: SeDebugPrivilege	4780	Microsoft.exe
Token: SeDebugPrivilege	2980	Microsoft.exe
Token: SeDebugPrivilege	2980	Microsoft.exe
Token: SeDebugPrivilege	800	Microsoft.exe
Token: SeDebugPrivilege	800	Microsoft.exe
Token: SeDebugPrivilege	3284	Microsoft.exe
Token: SeDebugPrivilege	3284	Microsoft.exe
Token: SeDebugPrivilege	3380	Microsoft.exe
Token: SeDebugPrivilege	3380	Microsoft.exe
Token: SeDebugPrivilege	1064	Microsoft.exe
Token: SeDebugPrivilege	1064	Microsoft.exe
Token: SeDebugPrivilege	2028	Microsoft.exe
Token: SeDebugPrivilege	2028	Microsoft.exe
Token: SeDebugPrivilege	740	Microsoft.exe
Token: SeDebugPrivilege	740	Microsoft.exe
Token: SeDebugPrivilege	4920	Microsoft.exe
Token: SeDebugPrivilege	4920	Microsoft.exe
Token: SeDebugPrivilege	1456	Microsoft.exe
Token: SeDebugPrivilege	1456	Microsoft.exe
Token: SeDebugPrivilege	1148	Microsoft.exe
Token: SeDebugPrivilege	1148	Microsoft.exe
Token: SeDebugPrivilege	3904	Microsoft.exe
Token: SeDebugPrivilege	3904	Microsoft.exe
Token: SeDebugPrivilege	3400	Microsoft.exe
Token: SeDebugPrivilege	3400	Microsoft.exe
Token: SeDebugPrivilege	3036	Microsoft.exe
Token: SeDebugPrivilege	3036	Microsoft.exe
Token: SeDebugPrivilege	4756	Microsoft.exe
Token: SeDebugPrivilege	4756	Microsoft.exe
Token: SeDebugPrivilege	1228	Microsoft.exe
Token: SeDebugPrivilege	1228	Microsoft.exe
Token: SeDebugPrivilege	2180	Microsoft.exe
Token: SeDebugPrivilege	2180	Microsoft.exe
Token: SeDebugPrivilege	5068	Microsoft.exe
Token: SeDebugPrivilege	5068	Microsoft.exe
Token: SeDebugPrivilege	3312	Microsoft.exe
Token: SeDebugPrivilege	3312	Microsoft.exe
Token: SeDebugPrivilege	4552	Microsoft.exe
Token: SeDebugPrivilege	4552	Microsoft.exe
Token: SeDebugPrivilege	1072	Microsoft.exe
Token: SeDebugPrivilege	1072	Microsoft.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
2136	Microsoft.exe
3852	Microsoft.exe
4056	Microsoft.exe
4616	Microsoft.exe
2436	Microsoft.exe
2764	Microsoft.exe
4364	Microsoft.exe
2256	Microsoft.exe
32	Microsoft.exe
3384	Microsoft.exe
4544	Microsoft.exe
1712	Microsoft.exe
4368	Microsoft.exe
1652	Microsoft.exe
4972	Microsoft.exe
1964	Microsoft.exe
3900	Microsoft.exe
1768	Microsoft.exe
4228	Microsoft.exe
5008	Microsoft.exe
600	Microsoft.exe
2360	Microsoft.exe
112	Microsoft.exe
516	Microsoft.exe
4760	Microsoft.exe
8	Microsoft.exe
2396	Microsoft.exe
408	Microsoft.exe
5080	Microsoft.exe
4532	Microsoft.exe
1388	Microsoft.exe
3744	Microsoft.exe
4120	Microsoft.exe
1360	Microsoft.exe
4908	Microsoft.exe
1400	Microsoft.exe
1792	Microsoft.exe
4596	Microsoft.exe
4768	Microsoft.exe
4752	Microsoft.exe
4456	Microsoft.exe
4260	Microsoft.exe
5000	Microsoft.exe
2948	Microsoft.exe
292	Microsoft.exe
4680	Microsoft.exe
3836	Microsoft.exe
1412	Microsoft.exe
4856	Microsoft.exe
1780	Microsoft.exe
2804	Microsoft.exe
3004	Microsoft.exe
1136	Microsoft.exe
1952	Microsoft.exe
3340	Microsoft.exe
2912	Microsoft.exe
1984	Microsoft.exe
3448	Microsoft.exe
488	Microsoft.exe
4740	Microsoft.exe
1396	Microsoft.exe
2932	Microsoft.exe
2268	Microsoft.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2652	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	81
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2220 wrote to memory of 2732	2220	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	82
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 2652 wrote to memory of 500	2652	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	83
PID 500 wrote to memory of 3836	500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	84
PID 500 wrote to memory of 3836	500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	84
PID 500 wrote to memory of 3836	500	4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe	84
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 2136	3836	Microsoft.exe	85
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 3836 wrote to memory of 3616	3836	Microsoft.exe	86
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 2136 wrote to memory of 3896	2136	Microsoft.exe	87
PID 3896 wrote to memory of 2940	3896	Microsoft.exe	88
PID 3896 wrote to memory of 2940	3896	Microsoft.exe	88
PID 3896 wrote to memory of 2940	3896	Microsoft.exe	88
PID 2940 wrote to memory of 3852	2940	Microsoft.exe	89
PID 2940 wrote to memory of 3852	2940	Microsoft.exe	89

C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
"C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
  C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
    "C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:500
  - - C:\Windows\SysWOW64\Microsoft.exe
      "C:\Windows\System32\Microsoft.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4056
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3448
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:584
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2316
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:32
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        33⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4072
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        38⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        39⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:412
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        42⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        44⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        45⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3340
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4972
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        50⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:392
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        53⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        54⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        56⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        57⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:3840
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        59⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4228
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        62⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        63⤵
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        64⤵
        Suspicious use of SetThreadContext
        
        PID:5088
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        65⤵
        Suspicious use of SetWindowsHookEx
        
        PID:600
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        67⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        68⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        69⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        70⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        71⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        73⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        74⤵
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        75⤵
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        76⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        77⤵
        Suspicious use of SetWindowsHookEx
        
        PID:516
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        78⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        79⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        80⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        81⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        82⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        83⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        84⤵
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        85⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        86⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        87⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        88⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        89⤵
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        90⤵
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        91⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        92⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        94⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        95⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        97⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        98⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        100⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        101⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4036
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        103⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        104⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        106⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        107⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        109⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        110⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        112⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        113⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        114⤵
        Checks computer location settings
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        115⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        116⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        117⤵
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        118⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        116⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        113⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        110⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        107⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        104⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        101⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        98⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        95⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        92⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        89⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        86⤵
        
        PID:700
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        83⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        80⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        77⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        74⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        71⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        68⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        65⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        62⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        59⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        56⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        53⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        50⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        47⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        44⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        41⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        38⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        35⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        32⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        29⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        26⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        23⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        20⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        17⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        14⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        11⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        8⤵
        Executes dropped EXE
        
        PID:3020
    - - C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        5⤵
        Executes dropped EXE
        
        PID:3616
- C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
  C:\Users\Admin\AppData\Local\Temp\4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb.exe
  2⤵
  PID:2732

C:\Windows\SysWOW64\Microsoft.exe
C:\Windows\SysWOW64\Microsoft.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:4596
- C:\Windows\SysWOW64\Microsoft.exe
  "C:\Windows\SysWOW64\Microsoft.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:3324
- - C:\Users\Admin\AppData\Roaming\Microsoft.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
    3⤵
    PID:4556
  - - C:\Users\Admin\AppData\Roaming\Microsoft.exe
      C:\Users\Admin\AppData\Roaming\Microsoft.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4768
    - - C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
      - C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        6⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        9⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        12⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        14⤵
        Modifies registry class
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        15⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        17⤵
        Checks computer location settings
        
        PID:4828
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        18⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        19⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        20⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        21⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        22⤵
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        23⤵
        Drops file in System32 directory
        
        PID:360
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        24⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        25⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        26⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        27⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        28⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        29⤵
        Checks computer location settings
        
        PID:2284
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        30⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        33⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        34⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        35⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        36⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        37⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        38⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        39⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        40⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        41⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        42⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        43⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        45⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        46⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        48⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        49⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        51⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        52⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        54⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        55⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        57⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        58⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        60⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        61⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        62⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        63⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        64⤵
        Suspicious use of SetWindowsHookEx
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        65⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        66⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        67⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4740
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        69⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        70⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        71⤵
        Checks computer location settings
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        72⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        73⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        75⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        76⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        77⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        78⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        79⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        81⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        82⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        83⤵
        Checks computer location settings
        
        PID:4068
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        84⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        85⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        87⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        88⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        90⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        91⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        92⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        93⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        94⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        95⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        96⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        97⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        99⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        100⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        102⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        103⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        104⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        105⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        106⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        107⤵
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        108⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        109⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        111⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        112⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        113⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        114⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        115⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        116⤵
        Checks computer location settings
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        117⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        118⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        119⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        120⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        121⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        123⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        124⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        125⤵
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        126⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        127⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        129⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        130⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        131⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        132⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        133⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        135⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        136⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        138⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        139⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        140⤵
        Checks computer location settings
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        141⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        142⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        143⤵
        Checks computer location settings
        
        PID:936
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        144⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        145⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        146⤵
        Checks computer location settings
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        147⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        148⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        149⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        150⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        151⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        152⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        153⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        154⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        155⤵
        Checks computer location settings
        
        PID:3684
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        156⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        157⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        159⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        160⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        161⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\System32\Microsoft.exe"
        162⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        163⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        164⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        165⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        163⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        160⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        157⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        154⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        151⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        148⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        145⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        142⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        139⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        136⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        133⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        130⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        127⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        124⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        121⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        118⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        115⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        112⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        109⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        106⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        103⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        100⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        97⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        94⤵
        
        PID:584
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        91⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        88⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        85⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        82⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        79⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        76⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        73⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        70⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        67⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        64⤵
        
        PID:804
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        61⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        58⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        55⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        52⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        49⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        46⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        43⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        40⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        37⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        34⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        31⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        28⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        25⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        22⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        19⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        16⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        13⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        10⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Microsoft.exe
        
        C:\Windows\SysWOW64\Microsoft.exe
        7⤵
        
        PID:512
  - - C:\Users\Admin\AppData\Roaming\Microsoft.exe
      C:\Users\Admin\AppData\Roaming\Microsoft.exe
      4⤵
      PID:3584

C:\Windows\SysWOW64\Microsoft.exe
C:\Windows\SysWOW64\Microsoft.exe
1⤵
PID:3912

C:\Users\Admin\AppData\Roaming\Microsoft.exe
C:\Users\Admin\AppData\Roaming\Microsoft.exe
1⤵
PID:4236
- C:\Users\Admin\AppData\Roaming\Microsoft.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2260
- - C:\Windows\SysWOW64\Microsoft.exe
    "C:\Windows\System32\Microsoft.exe"
    3⤵
    PID:5020
  - - C:\Windows\SysWOW64\Microsoft.exe
      C:\Windows\SysWOW64\Microsoft.exe
      4⤵
      PID:3064
    - - C:\Windows\SysWOW64\Microsoft.exe
        
        "C:\Windows\SysWOW64\Microsoft.exe"
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
      - C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        6⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        7⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft.exe"
        8⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft.exe
        7⤵
        
        PID:3500
  - - C:\Windows\SysWOW64\Microsoft.exe
      C:\Windows\SysWOW64\Microsoft.exe
      4⤵
      PID:1016

C:\Users\Admin\AppData\Roaming\Microsoft.exe
C:\Users\Admin\AppData\Roaming\Microsoft.exe
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
C:\Windows\SysWOW64\Microsoft.exe

Filesize
422KB

MD5
6b32d61d63952184bd5333fe13319fe0

SHA1
f478f373bbca84edfe3d030a0255608fd48169ff

SHA256
4ddf55e408dd3ae54be9444d0d4494bb688c5fcbfefcde259bbbbc557e7d61bb

SHA512
0d693518b0ca6070d9d63e782c730b6cb3381d52fb407feac1b4c13bf5034b30726abcf17fb9b7695c188be0a6f9056aa3525d11d8e7679cd68b616a542b4d28

Download Submit
memory/32-348-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/500-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/500-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/500-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/500-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/500-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/800-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/800-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-439-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1472-371-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1652-456-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1660-301-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1712-407-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1712-416-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1804-282-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1892-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-168-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2256-326-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2256-406-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2368-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2380-236-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2436-257-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2652-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2652-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2652-147-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2732-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2732-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-281-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2764-270-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2980-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-194-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3284-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3344-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3344-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3384-370-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3416-327-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3616-170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3700-349-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3852-192-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3896-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4056-214-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4188-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4188-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4224-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4224-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-418-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4364-305-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4364-299-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4368-437-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4416-393-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4484-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4484-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-392-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4560-457-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4616-235-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4780-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4780-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-260-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4844-215-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5024-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5024-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download