edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

Analysis

max time kernel
84s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Size

1.5MB
MD5

94f720790cfe857c4aff758bc671133f
SHA1

b6debf7a5a4798e01a81435c1b977a5d3584f7ac
SHA256

edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b
SHA512

5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112
SSDEEP

24576:bkNkiI3rh3eSaSZ+jF2z80Y09bHJCveXEHXsTkz8TkV7QROn1tTeRWQ:b3iI3rj2jF2z80JbJEHXoTDsn1tSh

Score

8^/10

collection discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
448	trsxn.exe
1516	trsxn.exe
2472	trsxn.exe
3184	trsxn.exe
4352	trsxn.exe
3592	trsxn.exe
1964	trsxn.exe
3580	trsxn.exe
3196	trsxn.exe
400	trsxn.exe
4644	trsxn.exe
1544	trsxn.exe
2376	trsxn.exe
432	trsxn.exe
1456	trsxn.exe
2304	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1636	trsxn.exe
4644	trsxn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3648-235-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3648-239-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/3352-247-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	icanhazip.com
22	ipinfo.io
51	ipinfo.io
85	ipinfo.io
90	ipinfo.io
113	ipinfo.io

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 3588 set thread context of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 5116 set thread context of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 3592 set thread context of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 5116 set thread context of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 3872 set thread context of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 5116 set thread context of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 1344 set thread context of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 5116 set thread context of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 448 set thread context of 1516	448	trsxn.exe	106
PID 1516 set thread context of 2472	1516	trsxn.exe	107
PID 448 set thread context of 3184	448	trsxn.exe	108
PID 5116 set thread context of 1048	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	111
PID 3184 set thread context of 3592	3184	trsxn.exe	113
PID 448 set thread context of 1964	448	trsxn.exe	116
PID 1048 set thread context of 1808	1048	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	119
PID 5116 set thread context of 1404	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	120
PID 1964 set thread context of 3580	1964	trsxn.exe	121
PID 448 set thread context of 400	448	trsxn.exe	122
PID 1404 set thread context of 552	1404	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	124
PID 5116 set thread context of 3460	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	125
PID 400 set thread context of 1544	400	trsxn.exe	128
PID 448 set thread context of 432	448	trsxn.exe	129
PID 3460 set thread context of 4376	3460	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	131
PID 5116 set thread context of 4656	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	132
PID 432 set thread context of 1456	432	trsxn.exe	133
PID 448 set thread context of 2304	448	trsxn.exe	179
PID 4656 set thread context of 2196	4656	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	137
PID 5116 set thread context of 4372	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	138
PID 2304 set thread context of 1636	2304	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	139
PID 448 set thread context of 4644	448	trsxn.exe	140

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4412	4080	WerFault.exe	100
4888	4584	WerFault.exe	151
1648	624	WerFault.exe	165

Checks SCSI registry key(s) 3 TTPs 34 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	trsxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	trsxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
4528	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
820	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
2868	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
2868	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
448	trsxn.exe
448	trsxn.exe
1308	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1308	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1516	trsxn.exe
1516	trsxn.exe
448	trsxn.exe
448	trsxn.exe
3184	trsxn.exe
3184	trsxn.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3184	trsxn.exe
3184	trsxn.exe
448	trsxn.exe
448	trsxn.exe
3592	trsxn.exe
1048	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1048	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1964	trsxn.exe
1964	trsxn.exe
448	trsxn.exe
448	trsxn.exe
448	trsxn.exe
448	trsxn.exe
1808	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1404	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
1404	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
3580	trsxn.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
400	trsxn.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	4528	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	820	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	2868	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	448	trsxn.exe
Token: SeDebugPrivilege	1308	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	1516	trsxn.exe
Token: SeDebugPrivilege	3184	trsxn.exe
Token: SeDebugPrivilege	3648	cvtres.exe
Token: SeDebugPrivilege	3352	cvtres.exe
Token: SeDebugPrivilege	1048	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	696	cvtres.exe
Token: SeDebugPrivilege	3592	trsxn.exe
Token: SeDebugPrivilege	1964	trsxn.exe
Token: SeDebugPrivilege	1808	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	1404	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	400	trsxn.exe
Token: SeDebugPrivilege	3580	trsxn.exe
Token: SeDebugPrivilege	3460	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	552	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	1544	trsxn.exe
Token: SeDebugPrivilege	432	trsxn.exe
Token: SeDebugPrivilege	4656	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	4376	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	1456	trsxn.exe
Token: SeDebugPrivilege	2304	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	4372	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
Token: SeDebugPrivilege	2196	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4080	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 5116 wrote to memory of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 5116 wrote to memory of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 5116 wrote to memory of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 5116 wrote to memory of 3588	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	87
PID 3588 wrote to memory of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 3588 wrote to memory of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 3588 wrote to memory of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 3588 wrote to memory of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 3588 wrote to memory of 4528	3588	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	90
PID 5116 wrote to memory of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 5116 wrote to memory of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 5116 wrote to memory of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 5116 wrote to memory of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 5116 wrote to memory of 3592	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	91
PID 3592 wrote to memory of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 3592 wrote to memory of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 3592 wrote to memory of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 3592 wrote to memory of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 3592 wrote to memory of 820	3592	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	92
PID 5116 wrote to memory of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 5116 wrote to memory of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 5116 wrote to memory of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 5116 wrote to memory of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 5116 wrote to memory of 3872	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	93
PID 4528 wrote to memory of 448	4528	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	95
PID 4528 wrote to memory of 448	4528	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	95
PID 4528 wrote to memory of 448	4528	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	95
PID 3872 wrote to memory of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 3872 wrote to memory of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 3872 wrote to memory of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 3872 wrote to memory of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 3872 wrote to memory of 2868	3872	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	96
PID 5116 wrote to memory of 1320	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	97
PID 5116 wrote to memory of 1320	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	97
PID 5116 wrote to memory of 1320	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	97
PID 5116 wrote to memory of 1320	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	97
PID 5116 wrote to memory of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 5116 wrote to memory of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 5116 wrote to memory of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 5116 wrote to memory of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 5116 wrote to memory of 1344	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	98
PID 1344 wrote to memory of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 1344 wrote to memory of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 1344 wrote to memory of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 1344 wrote to memory of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 1344 wrote to memory of 1308	1344	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	99
PID 5116 wrote to memory of 3196	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	102
PID 5116 wrote to memory of 3196	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	102
PID 5116 wrote to memory of 3196	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	102
PID 5116 wrote to memory of 3196	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	102
PID 5116 wrote to memory of 400	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	101
PID 5116 wrote to memory of 400	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	101
PID 5116 wrote to memory of 400	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	101
PID 5116 wrote to memory of 400	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	101
PID 5116 wrote to memory of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 5116 wrote to memory of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 5116 wrote to memory of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 5116 wrote to memory of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 5116 wrote to memory of 4080	5116	edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe	100
PID 448 wrote to memory of 1516	448	trsxn.exe	106
PID 448 wrote to memory of 1516	448	trsxn.exe	106
PID 448 wrote to memory of 1516	448	trsxn.exe	106
PID 448 wrote to memory of 1516	448	trsxn.exe	106

C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
"C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\ProgramData\sPeeHKpSg\trsxn.exe
      "C:\ProgramData\sPeeHKpSg\trsxn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp6FA2.tmp"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp75DD.tmp"
        7⤵
        Accesses Microsoft Outlook accounts
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp7AB0.tmp"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        
        PID:4352
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        
        PID:4644
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        
        PID:3196
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        
        PID:2376
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        
        PID:2304
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        Executes dropped EXE
        
        PID:1636
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        Executes dropped EXE
        
        PID:4644
      - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        6⤵
        
        PID:4628
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        
        PID:1532
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        
        PID:3820
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        
        PID:4144
    - - C:\ProgramData\sPeeHKpSg\trsxn.exe
        
        C:\ProgramData\sPeeHKpSg\trsxn.exe
        5⤵
        
        PID:316
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 12
    3⤵
    - Program crash
    PID:4412
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3196
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3692
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 12
      4⤵
      Program crash
      PID:4888
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4616
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4020
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3724
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 12
      4⤵
      Program crash
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3692
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:544
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1732
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:316
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3772
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:3108
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:4768
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  C:\Users\Admin\AppData\Local\Temp\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe
  2⤵
  PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 4080
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4584 -ip 4584
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 624 -ip 624
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1404 -ip 1404
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aalZunMZD\b23d2365e2784582b42cdd01075b63c2

Filesize
8B

MD5
6361c563c59a049a812c0f509449191c

SHA1
193835e63bae0b7ee7f3ba0a3e912c59e5a7fb1c

SHA256
e1b1b9899eeeb0a3bb10b971e111ed8c18d9b468ba031f69c7fb48209e95abd8

SHA512
48cc32a07eb9400300956ef2ea7ba5bb2a666a134435d8a0eb81606e4e858ff554c3bf7026543064014d7018d1810600cedc8e0ea4458b2509be97fba61fa2b8

Download Submit
C:\ProgramData\aalZunMZD\d912f6aff1a94c3dba0463ed3c353b4a

Filesize
16B

MD5
14798e21909ab781c81ddacd72653c22

SHA1
b8c96a227b398b0a8f685644acfca1acf6e501d5

SHA256
65bc25d71864d706b1f4383f8fbbde4f204d5be329d62b02434e067d4ebd722f

SHA512
902f11f1ba0b5c823b09502f03f6275722ff6a71c1645b42608bfc642f798a2e01642994e1d11cb23af8d98e2e2ed4bbbcb900d33ba37df5cefdbb31965f0d59

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\ProgramData\sPeeHKpSg\trsxn.exe

Filesize
1.5MB

MD5
94f720790cfe857c4aff758bc671133f

SHA1
b6debf7a5a4798e01a81435c1b977a5d3584f7ac

SHA256
edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b

SHA512
5322300105787d4241356db5afb275a17c2ebe2b6407e1674bc0fff993562596e35b8fa68b9a2e019c3bbba05693e241434e6d4dae296edb7409cfce53265112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\edadbc776dadba188b583aa8cb5615bc2a175e15fffc1ceba665ee6ea50e246b.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\trsxn.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
memory/400-284-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/400-305-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/432-337-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/432-315-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/448-224-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/448-184-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/552-297-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/552-322-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/696-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/696-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/696-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/820-165-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/820-167-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1048-258-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1048-238-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1308-208-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1308-200-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1344-185-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1344-194-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1404-290-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1404-282-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1404-266-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1456-339-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1456-358-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1516-207-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1516-215-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1544-312-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1544-321-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1636-368-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1808-281-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1808-270-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1964-273-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/1964-249-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2196-353-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2304-345-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2304-367-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2868-183-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2868-188-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3184-223-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3184-240-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3352-247-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3460-323-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3460-307-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3580-296-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3580-283-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3588-133-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3588-146-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3588-138-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3592-159-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3592-153-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3592-248-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3592-259-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3648-235-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3648-239-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3872-177-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3872-166-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4372-360-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4376-324-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4376-346-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4528-139-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4528-171-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4528-145-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4644-375-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4656-352-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4656-330-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/5116-144-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/5116-132-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download