3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Size

586KB
MD5

856401f79397ae093d5fd7795007d900
SHA1

c03525fe8d9222fcdc7a6efba2063b671c95b690
SHA256

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540
SHA512

d4d9dd5d6d650c2e42d4da859b3a93fe830faf31217a830df90a75e63c3cc243a62bc3cf0f0d847c260f386afe36cd4ff044121d1a8982bf80005e7e98abadd2
SSDEEP

12288:NdmNDwtZF4951xlMfa780coTAHp9/VjbyOogKN1:NwNDwKflMS8VoWp9djed

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1952 984 WerFault.exe 3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

pid	pid_target	process	target process
1952	984	WerFault.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

pid	process
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Token: SeRestorePrivilege	3020	dw20.exe
Token: SeBackupPrivilege	3020	dw20.exe
Token: SeBackupPrivilege	3020	dw20.exe
Token: SeBackupPrivilege	3020	dw20.exe
Token: SeBackupPrivilege	3020	dw20.exe
Token: SeBackupPrivilege	4224	dw20.exe
Token: SeBackupPrivilege	4224	dw20.exe
Token: SeBackupPrivilege	2812	dw20.exe
Token: SeBackupPrivilege	2812	dw20.exe
Token: SeBackupPrivilege	4484	dw20.exe
Token: SeBackupPrivilege	4484	dw20.exe
Token: SeBackupPrivilege	1224	dw20.exe
Token: SeBackupPrivilege	1224	dw20.exe
Token: SeBackupPrivilege	3728	dw20.exe
Token: SeBackupPrivilege	3728	dw20.exe
Token: SeDebugPrivilege	3124	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Token: SeBackupPrivilege	4520	dw20.exe
Token: SeBackupPrivilege	4520	dw20.exe
Token: SeBackupPrivilege	3316	dw20.exe
Token: SeBackupPrivilege	3316	dw20.exe
Token: SeBackupPrivilege	4528	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Token: SeBackupPrivilege	4528	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Token: SeBackupPrivilege	2492	dw20.exe
Token: SeBackupPrivilege	2492	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	5032	dw20.exe
Token: SeBackupPrivilege	1008	dw20.exe
Token: SeBackupPrivilege	1008	dw20.exe
Token: SeBackupPrivilege	3204	dw20.exe
Token: SeBackupPrivilege	3204	dw20.exe
Token: SeBackupPrivilege	1760	dw20.exe
Token: SeBackupPrivilege	1760	dw20.exe
Token: SeBackupPrivilege	2284	dw20.exe
Token: SeBackupPrivilege	2284	dw20.exe
Token: SeBackupPrivilege	3284	dw20.exe
Token: SeBackupPrivilege	3284	dw20.exe
Token: SeBackupPrivilege	3268	dw20.exe
Token: SeBackupPrivilege	3268	dw20.exe
Token: SeBackupPrivilege	3652	dw20.exe
Token: SeBackupPrivilege	3652	dw20.exe
Token: SeBackupPrivilege	1116	dw20.exe
Token: SeBackupPrivilege	1116	dw20.exe
Token: SeBackupPrivilege	2248	dw20.exe
Token: SeBackupPrivilege	2248	dw20.exe
Token: SeBackupPrivilege	1844	dw20.exe
Token: SeBackupPrivilege	1844	dw20.exe
Token: SeBackupPrivilege	4440	dw20.exe
Token: SeBackupPrivilege	4440	dw20.exe
Token: SeBackupPrivilege	4520	dw20.exe
Token: SeBackupPrivilege	4520	dw20.exe
Token: SeBackupPrivilege	5100	dw20.exe
Token: SeBackupPrivilege	5100	dw20.exe
Token: SeBackupPrivilege	4256	dw20.exe
Token: SeBackupPrivilege	4256	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeBackupPrivilege	4696	dw20.exe
Token: SeBackupPrivilege	4696	dw20.exe
Token: SeBackupPrivilege	3456	dw20.exe
Token: SeBackupPrivilege	3456	dw20.exe
Token: SeBackupPrivilege	2008	dw20.exe
Token: SeBackupPrivilege	2008	dw20.exe
Token: SeBackupPrivilege	1280	dw20.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:3440

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 804
3⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 752
3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 816
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 776
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:32

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 816
3⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:2212

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:3508

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4216

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4616

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4640

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:896

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 804
3⤵
- Enumerates system info in registry
PID:1928

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:364

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:528

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:64

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 832
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1956

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 828
3⤵
- Checks processor information in registry
PID:4044

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4696

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:3204

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 832
3⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 424
3⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 832
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:2808

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:1472

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:1532

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4560

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4220

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Enumerates system info in registry
PID:1700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4716

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:1308

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Checks processor information in registry
PID:532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
PID:4160

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4476

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Checks processor information in registry
PID:1892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5048

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:3664

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4044

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:2068

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 420
3⤵
- Program crash
PID:1952

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Checks processor information in registry
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3128

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1308

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:528

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4700

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:3208

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5096

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:2948

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 816
3⤵
- Checks processor information in registry
PID:3284

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:3324

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:380

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Checks computer location settings
- Enumerates system info in registry
PID:3720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:2648

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5028

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 816
3⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:3392

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:448

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5112

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4500

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:3688

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4392

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4964

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:3536

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:3040

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:528

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 424
3⤵
- Checks processor information in registry
PID:344

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:4812

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:212

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 464
3⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:4932

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:1776

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:792

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 824
3⤵
- Checks processor information in registry
PID:1172

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:3704

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 828
3⤵
- Checks processor information in registry
PID:5160

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5236

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5428

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5488

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5552

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 752
3⤵
- Enumerates system info in registry
PID:5636

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5700

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 824
3⤵
- Enumerates system info in registry
PID:5760

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5960

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:6020

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:6056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:6084

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:6116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5124

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5296

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5384

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5520

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5708

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 832
3⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:5896

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Enumerates system info in registry
PID:5952

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:6016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
PID:6088

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4784

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5128

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
3⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:5360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 828
3⤵
PID:5384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 984 -ip 984
1⤵
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
586KB

MD5
856401f79397ae093d5fd7795007d900

SHA1
c03525fe8d9222fcdc7a6efba2063b671c95b690

SHA256
3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540

SHA512
d4d9dd5d6d650c2e42d4da859b3a93fe830faf31217a830df90a75e63c3cc243a62bc3cf0f0d847c260f386afe36cd4ff044121d1a8982bf80005e7e98abadd2

Download Submit
memory/32-237-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/32-294-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/32-233-0x0000000000000000-mapping.dmp

Download
memory/112-290-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/112-289-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/220-151-0x0000000000000000-mapping.dmp

Download
memory/796-295-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/804-253-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/804-250-0x0000000000000000-mapping.dmp

Download
memory/808-180-0x0000000000000000-mapping.dmp

Download
memory/808-183-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1008-195-0x0000000000000000-mapping.dmp

Download
memory/1028-263-0x0000000000000000-mapping.dmp

Download
memory/1028-266-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1112-171-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1112-170-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1112-167-0x0000000000000000-mapping.dmp

Download
memory/1116-229-0x0000000000000000-mapping.dmp

Download
memory/1224-165-0x0000000000000000-mapping.dmp

Download
memory/1316-242-0x0000000000000000-mapping.dmp

Download
memory/1316-245-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1324-249-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1324-246-0x0000000000000000-mapping.dmp

Download
memory/1540-137-0x0000000000000000-mapping.dmp

Download
memory/1540-146-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1540-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1540-141-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1632-261-0x0000000000000000-mapping.dmp

Download
memory/1748-163-0x0000000000000000-mapping.dmp

Download
memory/1748-166-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1760-205-0x0000000000000000-mapping.dmp

Download
memory/1768-176-0x0000000000000000-mapping.dmp

Download
memory/1768-256-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1768-179-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1772-297-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1844-240-0x0000000000000000-mapping.dmp

Download
memory/1900-282-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1900-281-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1920-292-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2044-136-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2044-132-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2152-262-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2152-259-0x0000000000000000-mapping.dmp

Download
memory/2160-161-0x0000000000000000-mapping.dmp

Download
memory/2188-272-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2236-269-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2248-235-0x0000000000000000-mapping.dmp

Download
memory/2284-209-0x0000000000000000-mapping.dmp

Download
memory/2412-284-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2444-212-0x0000000000000000-mapping.dmp

Download
memory/2460-222-0x0000000000000000-mapping.dmp

Download
memory/2460-226-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2492-186-0x0000000000000000-mapping.dmp

Download
memory/2768-213-0x0000000000000000-mapping.dmp

Download
memory/2768-217-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2768-216-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2800-299-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2812-154-0x0000000000000000-mapping.dmp

Download
memory/2832-241-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2832-238-0x0000000000000000-mapping.dmp

Download
memory/3020-144-0x0000000000000000-mapping.dmp

Download
memory/3120-276-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3120-277-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3124-225-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3124-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-145-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3124-142-0x0000000000000000-mapping.dmp

Download
memory/3204-200-0x0000000000000000-mapping.dmp

Download
memory/3264-159-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3264-160-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3264-156-0x0000000000000000-mapping.dmp

Download
memory/3268-220-0x0000000000000000-mapping.dmp

Download
memory/3284-215-0x0000000000000000-mapping.dmp

Download
memory/3316-178-0x0000000000000000-mapping.dmp

Download
memory/3440-133-0x0000000000000000-mapping.dmp

Download
memory/3504-274-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3652-224-0x0000000000000000-mapping.dmp

Download
memory/3728-169-0x0000000000000000-mapping.dmp

Download
memory/3756-211-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3756-207-0x0000000000000000-mapping.dmp

Download
memory/3756-210-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3792-221-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3792-218-0x0000000000000000-mapping.dmp

Download
memory/3900-227-0x0000000000000000-mapping.dmp

Download
memory/3900-231-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3900-232-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3964-287-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3964-286-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4000-236-0x0000000000000000-mapping.dmp

Download
memory/4004-188-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4004-184-0x0000000000000000-mapping.dmp

Download
memory/4004-187-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4100-303-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4188-305-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4224-149-0x0000000000000000-mapping.dmp

Download
memory/4256-257-0x0000000000000000-mapping.dmp

Download
memory/4284-270-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4292-202-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4292-201-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4292-198-0x0000000000000000-mapping.dmp

Download
memory/4440-244-0x0000000000000000-mapping.dmp

Download
memory/4484-158-0x0000000000000000-mapping.dmp

Download
memory/4508-301-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4520-174-0x0000000000000000-mapping.dmp

Download
memory/4520-248-0x0000000000000000-mapping.dmp

Download
memory/4528-182-0x0000000000000000-mapping.dmp

Download
memory/4556-230-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4556-147-0x0000000000000000-mapping.dmp

Download
memory/4556-150-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4564-152-0x0000000000000000-mapping.dmp

Download
memory/4564-155-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4588-140-0x0000000000000000-mapping.dmp

Download
memory/4624-162-0x0000000000000000-mapping.dmp

Download
memory/4676-258-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4676-254-0x0000000000000000-mapping.dmp

Download
memory/4696-265-0x0000000000000000-mapping.dmp

Download
memory/4732-196-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4732-193-0x0000000000000000-mapping.dmp

Download
memory/4732-197-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4772-192-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4772-189-0x0000000000000000-mapping.dmp

Download
memory/4908-134-0x0000000000000000-mapping.dmp

Download
memory/4928-279-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4956-203-0x0000000000000000-mapping.dmp

Download
memory/4956-206-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4972-139-0x0000000000000000-mapping.dmp

Download
memory/4976-175-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4976-172-0x0000000000000000-mapping.dmp

Download
memory/5032-191-0x0000000000000000-mapping.dmp

Download
memory/5100-252-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2044 set thread context of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1748	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1112	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4976	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1768	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 808	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4004	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4772	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4732	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4292	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4956	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3756	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2768	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3792	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2460	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3900	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 32	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2832	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1316	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1324	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 804	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4676	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2152	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1028	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2236	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4284	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2188	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3504	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3120	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4928	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1900	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2412	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3964	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 112	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1920	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 796	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1772	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2800	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4508	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4100	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4188	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2288	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4996	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4548	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3048	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 868	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 1628	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4876	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2428	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4036	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3188	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 64	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3516	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4528	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 2120	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 916	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3240	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3816	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 3436	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 set thread context of 4936	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	pid	process	target process
PID 2044 wrote to memory of 3440	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 3440	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 3440	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 4908	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 4908	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 4908	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 1540	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4972	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4972	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4972	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4588	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4588	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4588	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3124	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1540 wrote to memory of 3020	1540	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 1540 wrote to memory of 3020	1540	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 1540 wrote to memory of 3020	1540	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4556	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 4556 wrote to memory of 4224	4556	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 4556 wrote to memory of 4224	4556	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 4556 wrote to memory of 4224	4556	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2044 wrote to memory of 220	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 220	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 220	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 4564	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 4564 wrote to memory of 2812	4564	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 4564 wrote to memory of 2812	4564	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 4564 wrote to memory of 2812	4564	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2044 wrote to memory of 3264	2044	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe