e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66

Analysis

max time kernel
162s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
Size

344KB
MD5

246f863339661fec85869da29d2b2878
SHA1

85f109292353baaadfdbea500b469258faf0b8f3
SHA256

e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66
SHA512

2d99b4423885517ad97a37d733d615faa0fe327137e84ea8c72b64b7618d3ee4938313cb622f2a10a37bab318365786bce95659b0c9c2c9ecf3af93245e5d9c3
SSDEEP

6144:yuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL3ks3ih1XGWp:Z6Wq4aaE6KwyF5L0Y2D1PqLF3c20

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2004	commander.exe
1480	commander.exe
1376	svhost.exe
1636	commander.exe
2040	commander.exe
1812	commander.exe
1644	commander.exe
1196	system.exe
1944	commander.exe
864	system.exe
1100	commander.exe
1876	system.exe
1464	commander.exe
316	system.exe
1968	commander.exe
1988	system.exe
1720	commander.exe
2008	system.exe
1164	commander.exe
1124	system.exe
588	commander.exe
1652	system.exe
1872	commander.exe
964	system.exe
1664	commander.exe
1020	system.exe
888	commander.exe
816	system.exe
788	commander.exe
1984	system.exe
976	commander.exe
1948	system.exe
1996	commander.exe
1288	system.exe
1120	commander.exe
820	system.exe
1192	commander.exe
1640	system.exe
1212	commander.exe
972	system.exe
1804	commander.exe
1324	system.exe
676	commander.exe
1536	system.exe
1592	commander.exe
1100	system.exe
1952	commander.exe
1984	system.exe
1280	commander.exe
1648	system.exe
1712	commander.exe
1816	system.exe
1448	commander.exe
2040	system.exe
1120	commander.exe
588	system.exe
1828	commander.exe
1188	system.exe
1212	commander.exe
1644	system.exe
1324	commander.exe
828	system.exe
1536	commander.exe
1596	system.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1448-54-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1448-65-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-66.dat	upx
behavioral1/files/0x000c0000000054a8-68.dat	upx
behavioral1/memory/1376-74-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-84.dat	upx
behavioral1/files/0x0006000000014f93-85.dat	upx
behavioral1/memory/1644-86-0x0000000000C00000-0x0000000000CC8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-88.dat	upx
behavioral1/memory/1196-90-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-95.dat	upx
behavioral1/files/0x000600000001504d-97.dat	upx
behavioral1/memory/864-98-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-103.dat	upx
behavioral1/memory/1876-105-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-110.dat	upx
behavioral1/files/0x0006000000015557-112.dat	upx
behavioral1/memory/316-113-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-118.dat	upx
behavioral1/memory/1988-120-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-125.dat	upx
behavioral1/memory/2008-128-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000015557-127.dat	upx
behavioral1/files/0x0006000000014f93-133.dat	upx
behavioral1/files/0x0006000000015557-135.dat	upx
behavioral1/memory/1124-136-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-141.dat	upx
behavioral1/memory/1652-143-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1376-144-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-149.dat	upx
behavioral1/files/0x0006000000015557-151.dat	upx
behavioral1/memory/964-152-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-157.dat	upx
behavioral1/memory/1020-159-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1020-160-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-165.dat	upx
behavioral1/files/0x0006000000015557-167.dat	upx
behavioral1/memory/816-168-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-173.dat	upx
behavioral1/memory/1984-175-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-180.dat	upx
behavioral1/files/0x0006000000015557-182.dat	upx
behavioral1/memory/1948-183-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0006000000014f93-188.dat	upx
behavioral1/memory/1288-190-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1288-191-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/820-195-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1640-199-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/972-203-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1324-207-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1536-211-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1100-215-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1984-219-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1648-223-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1816-227-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2040-231-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/588-235-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1188-239-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1644-243-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/828-247-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1596-249-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1152-251-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1984-253-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1968-255-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1644	commander.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\f:	svhost.exe

AutoIT Executable 61 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1448-65-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1376-74-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1196-90-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/864-98-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1876-105-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/316-113-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1988-120-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/2008-128-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1124-136-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1652-143-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1376-144-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/964-152-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1020-159-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1020-160-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/816-168-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1984-175-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1948-183-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1288-190-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1288-191-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/820-195-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1640-199-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/972-203-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1324-207-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1536-211-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1100-215-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1984-219-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1648-223-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1816-227-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/2040-231-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/588-235-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1188-239-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1644-243-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/828-247-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1596-249-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1152-251-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1984-253-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1968-255-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1096-257-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1216-259-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1748-261-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1208-264-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1076-266-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1076-267-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/696-269-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1068-271-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1156-273-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1156-274-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1696-278-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1616-280-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/436-282-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/864-284-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1216-286-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/2040-288-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1972-290-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1120-292-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1112-294-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/512-296-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1876-298-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/676-300-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1356-302-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe
behavioral1/memory/1448-304-0x0000000000400000-0x00000000004C8000-memory.dmp	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6CE17TOX.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\caf[1].js	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\wabq1c7\imagestore.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\JN8HDIZY.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File created	C:\Windows\SysWOW64\svhost.exe	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\G2T7CUZW.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\G2T7CUZW.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{00B42C81-69BE-11ED-965B-E20468906380}.dat	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\aa[1].htm	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon	iexplore.exe
File created	C:\Windows\SysWOW64\commander.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\JN8HDIZY.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KQXGAPTE.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\XZ45GE6Q.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4VKS5K29.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{00B42C81-69BE-11ED-965B-E20468906380}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\N4XPBBU2.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5PL84HU4.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\XZ45GE6Q.txt	iexplore.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svhost.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe
File created	C:\Windows\16.1661907201633.exe	svhost.exe
File created	C:\Windows\svhost.exe	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = e0fbdccbcafdd801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038b2f4af30ca494486dcd40810609aa300000000020000000000106600000001000020000000ab60ac2f11448c096701735c8ad1bbd7bcaa7a3e6131fae5bacf875496ce087e000000000e8000000002000020000000b09930d2837c86634cd5f5dd1698166e00be5c18b1d50497eaba2d3901fbb4dc20000000964683ac679bca34f4e1b5b0dee768b845572561324d75c77468c70653bfa3f740000000ebca016f32a76aa5ceefa9aeb0fdea293fd324362337dcc7423e425b7f609b25c2491783ffcb916599f9cfcc84370c53d8bc5e02402d61b000ae3111d86ffdd1	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-a6-83-9c-54-3e\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038b2f4af30ca494486dcd40810609aa300000000020000000000106600000001000020000000277bafbf4fc2196827ec39915194919526f348a651379126e97f9e4135c0291b000000000e800000000200002000000046b5da72534545ab01de87dedc716d9bd5a8e52ff4a70d7ae178a501b14335b6500000004b37114b6f8a6304d1f820c2576f7f0216a82ef37db435feee48a87ffce84368a15fb9b208b24a3c893a1c9629a525d8c1299e63bf7fcff958f575ce63f8ef8941448a200ba6970685430a57088f82c4400000003aa3f2369dc0f94421bb73820c6098b81111b7c38cbd798d6df10098fbc07bd8db60b8d853609870066e25537881a471576a5ce5742bea9518d04fc47db829fe	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0084000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-a6-83-9c-54-3e\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = e0fbdccbcafdd801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C6C4D1-9AC0-4562-B9AB-A926925356F9}\d6-a6-83-9c-54-3e	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C6C4D1-9AC0-4562-B9AB-A926925356F9}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
1376	svhost.exe
1376	svhost.exe
1376	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	svhost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe
1908	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2004	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	27
PID 1448 wrote to memory of 2004	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	27
PID 1448 wrote to memory of 2004	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	27
PID 1448 wrote to memory of 2004	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	27
PID 2004 wrote to memory of 1988	2004	commander.exe	29
PID 2004 wrote to memory of 1988	2004	commander.exe	29
PID 2004 wrote to memory of 1988	2004	commander.exe	29
PID 2004 wrote to memory of 1988	2004	commander.exe	29
PID 1448 wrote to memory of 1480	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	30
PID 1448 wrote to memory of 1480	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	30
PID 1448 wrote to memory of 1480	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	30
PID 1448 wrote to memory of 1480	1448	e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe	30
PID 1480 wrote to memory of 1084	1480	commander.exe	32
PID 1480 wrote to memory of 1084	1480	commander.exe	32
PID 1480 wrote to memory of 1084	1480	commander.exe	32
PID 1480 wrote to memory of 1084	1480	commander.exe	32
PID 584 wrote to memory of 1376	584	taskeng.exe	34
PID 584 wrote to memory of 1376	584	taskeng.exe	34
PID 584 wrote to memory of 1376	584	taskeng.exe	34
PID 584 wrote to memory of 1376	584	taskeng.exe	34
PID 1376 wrote to memory of 1636	1376	svhost.exe	35
PID 1376 wrote to memory of 1636	1376	svhost.exe	35
PID 1376 wrote to memory of 1636	1376	svhost.exe	35
PID 1376 wrote to memory of 1636	1376	svhost.exe	35
PID 1376 wrote to memory of 2040	1376	svhost.exe	37
PID 1376 wrote to memory of 2040	1376	svhost.exe	37
PID 1376 wrote to memory of 2040	1376	svhost.exe	37
PID 1376 wrote to memory of 2040	1376	svhost.exe	37
PID 1376 wrote to memory of 1812	1376	svhost.exe	39
PID 1376 wrote to memory of 1812	1376	svhost.exe	39
PID 1376 wrote to memory of 1812	1376	svhost.exe	39
PID 1376 wrote to memory of 1812	1376	svhost.exe	39
PID 1376 wrote to memory of 1644	1376	svhost.exe	41
PID 1376 wrote to memory of 1644	1376	svhost.exe	41
PID 1376 wrote to memory of 1644	1376	svhost.exe	41
PID 1376 wrote to memory of 1644	1376	svhost.exe	41
PID 1644 wrote to memory of 1196	1644	commander.exe	43
PID 1644 wrote to memory of 1196	1644	commander.exe	43
PID 1644 wrote to memory of 1196	1644	commander.exe	43
PID 1644 wrote to memory of 1196	1644	commander.exe	43
PID 1376 wrote to memory of 1944	1376	svhost.exe	44
PID 1376 wrote to memory of 1944	1376	svhost.exe	44
PID 1376 wrote to memory of 1944	1376	svhost.exe	44
PID 1376 wrote to memory of 1944	1376	svhost.exe	44
PID 1944 wrote to memory of 864	1944	commander.exe	46
PID 1944 wrote to memory of 864	1944	commander.exe	46
PID 1944 wrote to memory of 864	1944	commander.exe	46
PID 1944 wrote to memory of 864	1944	commander.exe	46
PID 1376 wrote to memory of 1100	1376	svhost.exe	47
PID 1376 wrote to memory of 1100	1376	svhost.exe	47
PID 1376 wrote to memory of 1100	1376	svhost.exe	47
PID 1376 wrote to memory of 1100	1376	svhost.exe	47
PID 1100 wrote to memory of 1876	1100	commander.exe	49
PID 1100 wrote to memory of 1876	1100	commander.exe	49
PID 1100 wrote to memory of 1876	1100	commander.exe	49
PID 1100 wrote to memory of 1876	1100	commander.exe	49
PID 1376 wrote to memory of 1464	1376	svhost.exe	50
PID 1376 wrote to memory of 1464	1376	svhost.exe	50
PID 1376 wrote to memory of 1464	1376	svhost.exe	50
PID 1376 wrote to memory of 1464	1376	svhost.exe	50
PID 1464 wrote to memory of 316	1464	commander.exe	52
PID 1464 wrote to memory of 316	1464	commander.exe	52
PID 1464 wrote to memory of 316	1464	commander.exe	52
PID 1464 wrote to memory of 316	1464	commander.exe	52

C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
"C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:1988
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:1084

C:\Windows\system32\taskeng.exe
taskeng.exe {6B764915-113C-47AB-B5B3-E239B23BB58C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1196
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
      4⤵
      Executes dropped EXE
      PID:1876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:316
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
    3⤵
    - Executes dropped EXE
    PID:1968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
      4⤵
      Executes dropped EXE
      PID:1988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1124
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
    3⤵
    - Executes dropped EXE
    PID:588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:964
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
    3⤵
    - Executes dropped EXE
    PID:1664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
      4⤵
      Executes dropped EXE
      PID:1020
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
    3⤵
    - Executes dropped EXE
    PID:788
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1948
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
    3⤵
    - Executes dropped EXE
    PID:1996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
      4⤵
      Executes dropped EXE
      PID:1288
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1120
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:820
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
    3⤵
    - Executes dropped EXE
    PID:1192
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
      4⤵
      Executes dropped EXE
      PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1212
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1324
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
    3⤵
    - Executes dropped EXE
    PID:676
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1100
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Users.exe
    3⤵
    - Executes dropped EXE
    PID:1952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Users.exe
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1448
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1120
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1828
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1188
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1212
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1644
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:828
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:788
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1748
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1208
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:696
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
      4⤵
      PID:1068
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1156
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C at 9:00 /interactive C:\Windows\16.1661907201633.exe
    3⤵
    PID:588
  - - C:\Windows\SysWOW64\at.exe
      at 9:00 /interactive C:\Windows\16.1661907201633.exe
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C schtasks /run /tn at1
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /tn at1
      4⤵
      PID:972
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:436
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:316
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1112
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:512
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:380
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1068
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1048
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:972
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:920

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1908
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:1112
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
344KB

MD5
d88dff13a3267a546b2388102b939966

SHA1
810f5c98dfc1ca5cec2c89da05eceb055c32e8ab

SHA256
9a9d054004c4b5a55c21e8c08d95bb09927baf2f2fd369893eea59e51c81d754

SHA512
0473e057807e4b918e0a2bb19e33dc4290f4139f2fa3e0e262e958b82ac119fa7f04a71828941ef09f496f41a94614f0b608b1c151bc5593014527667e979448

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
C:\Windows\svhost.exe

Filesize
344KB

MD5
7dad3acd06e4146648deb0ccd2a7e17c

SHA1
128966cd56328ea91ab33debef0adfa66c142ad8

SHA256
7e553e394ba3208479ecf3637ab074d6d29fbb16123042cebc9904d99892de7f

SHA512
d43eb690928b6c43535a3fef07cacfa39f2b5591e03f95feb680d6b7a497834e960eaa51d2776e0276270c3ec8d00d864ae07740ab2c4e46f46062de1d2d7549

Download Submit
C:\Windows\svhost.exe

Filesize
344KB

MD5
7dad3acd06e4146648deb0ccd2a7e17c

SHA1
128966cd56328ea91ab33debef0adfa66c142ad8

SHA256
7e553e394ba3208479ecf3637ab074d6d29fbb16123042cebc9904d99892de7f

SHA512
d43eb690928b6c43535a3fef07cacfa39f2b5591e03f95feb680d6b7a497834e960eaa51d2776e0276270c3ec8d00d864ae07740ab2c4e46f46062de1d2d7549

Download Submit
C:\startup.exe

Filesize
344KB

MD5
74270b93cc56e2cee25a43354905f39d

SHA1
a318a8a953038423d968e6f79a6ee74b45bb2ce0

SHA256
6186b6a5691806712592592eddd262c021c9d0563bf98b3259acc8c1e54f2834

SHA512
9e8e4a5929751ce6223e8320563a14b834fa8039f22f893fec3b61e0759ca169fdaaf0f0fba9c33c2dee73714963eaa9bc116d7e7a3bda2f4d9ac8edf2b1f92b

Download Submit
C:\startup.exe

Filesize
344KB

MD5
ae1941b8cf1614907aaae4189944467d

SHA1
e4a18c41ba7907c0e0093337833f72e993c33cc3

SHA256
9a106fe71451e738dcfda451811b3d88eb2ac1e9b08c04086c7f2374dc03ee64

SHA512
4cb984c30bfa364eb484ba3f08b7f81bd821e34fb83145b142639ac5a4227cc02da0a7bab053373cb2369b16457686ce853ba02d209c79b08d2175d917f72290

Download Submit
C:\startup.exe

Filesize
344KB

MD5
3873aea6cece686fea78fb1d33d65f65

SHA1
dc87c4a8c84e6d3b8ac4f0aaf8ddd798573d17d8

SHA256
04fbade3f7ab6030988268637c4958a40d205e867ae399304bbbddc322c19531

SHA512
368dd0964d2497d42a0faa9f08ae2b3b288ae9e6c6412744ea9f0f89cfb605326fa0d8df56dda400e617ed45adce96723800d2e39f519943b2df641aa7afc61e

Download Submit
C:\startup.exe

Filesize
344KB

MD5
b1a1dde7fbaec1cb9bac1fe10d985b8e

SHA1
bdc07c3a6853554acce5058a8e3d88e407d0fd19

SHA256
f9f90c3ddc254fbed7ba0adaebefb8e3bcd2814b071592c396b382a75e4b77b4

SHA512
0f98280a3cd5d527720c9ffc0c838bb0dce1217de077c4ef3daf82a5d879c1b607c9a04a96f8718b2fa8d2edb90643406ec4da0810fbf68e8539d999fc59eea7

Download Submit
C:\startup.exe

Filesize
344KB

MD5
1fd3ad1a15d789f97ae3f81a4ed118a1

SHA1
ca49ac719d84788fd68a115894f03677569b92d0

SHA256
436e800f5b819d56bb845dcee0932f92cd9c18ce7bede5cc0ff268b4962d241d

SHA512
5bde63840d1c831faece3c2836ff56c2ff39efd3febb0fb3d4ffa3ea7d2ba81b9d00c916ebb34631649d29fffc0786cb45002940a1f34f99c85305386e9c1535

Download Submit
C:\startup.exe

Filesize
344KB

MD5
376d0c71a32bc1c644c58f7558153d65

SHA1
b46871febfe94e6a336858a08c6d58faa1d2b146

SHA256
0599ac3ef06c47e338bb6739d9e9437002a67aad5d159817fb11702fde57a287

SHA512
f8577853bef759cb1dd286d67d2a2b7739754a659c50c6166f50b733a2a13d30740df5d562d708ad580345049481b82d8626dc25bc4fde6b7f2f79498d7685e0

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
07862c7585964ee8b9673fd411b0fac8

SHA1
ba18a20bdca588c1fc723628e8d24ce1799c02b0

SHA256
b86c39d981f40f4c099d07c1c30fbd614ba6eacaead69289a3baa2ff8a5f9354

SHA512
edd3695435ec0a0ed3004d883b6b7bb7c9b0ae0ed2c5bdfc8c8debf87116fa15d06dc1c981dd558d192dd910745fc07fb74a03764ec3f5749b8bd76a70eb1edd

Download Submit
\Windows\SysWOW64\system.exe

Filesize
344KB

MD5
76f5abe59fc3876c42976ed2b87c5976

SHA1
2c80776f23a58963a7d3dedee346c0bcc4139e73

SHA256
606e8734c0d729422ab1eab456bce7cc870eb1215dca5b5b5347076dcecf0cdb

SHA512
55a7eda3630beec9d6657f181a0f6b0d74ec45f5bfd04cae6f544c9c378120ee372e82b499b3d30d9dad64f2053c7eb131b8b7bbd994ce6d6125a654f71b789e

Download Submit
memory/316-113-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/436-282-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/512-296-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/588-235-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/676-300-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/696-269-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/816-168-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/820-195-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/828-247-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/864-284-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/864-98-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/964-152-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/972-203-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1020-160-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1020-159-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1068-271-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1076-266-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1076-267-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1096-257-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1100-215-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1112-294-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1120-292-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1124-136-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1152-251-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1152-275-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1156-273-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1156-274-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1188-239-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1196-90-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1208-264-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1208-263-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1216-286-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1216-259-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1288-191-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1288-190-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1324-207-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1356-302-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1376-144-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1376-74-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1448-54-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1448-65-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1448-304-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1448-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1536-211-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1596-249-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1616-280-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1640-199-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1644-86-0x0000000000C00000-0x0000000000CC8000-memory.dmp

Filesize
800KB

Download
memory/1644-243-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1648-223-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1652-143-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1696-278-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1748-261-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1816-227-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1876-105-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1876-298-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1948-183-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1968-255-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1972-290-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1984-175-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1984-219-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1984-253-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1988-120-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2008-128-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2040-231-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2040-288-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download