luminosity | 905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

Analysis

max time kernel
154s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Size

325KB
MD5

fef59adb2c9f7f2ade645d3107c61f02
SHA1

058acd6926519431406e839c4d05ae682b280394
SHA256

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5
SHA512

f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983
SSDEEP

6144:sxx+xgkm1Je7HwpzGXHNqnTkPD6veXEImKkLiHSh5cQ/ck0HXtP2ouD1:687H7HNqnQ27TmO5sFHAbD

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\113030\\system.exe\""	system.exe

Executes dropped EXE 35 IoCs

Processes:

thaquvrf.exesystem.exesystem.exesystem.exesystem.exetxpc5tto.exe5mntbpxk.exesystem.exesystem.exedn4swajg.exesystem.exesystem.exe3xok_rnc.exesystem.exesystem.exesystem.exenn5mqnjo.exeuphtcimg.exesystem.exesystem.exesystem.exesystem.exeg3uowusa.exefa0sr_wb.exesystem.exesystem.exesystem.exesystem.exe3n8vzkfk.exesystem.exesystem.exezrze2wro.exe-7ljgoax.exesystem.exesystem.exe

pid	process
4388	thaquvrf.exe
4944	system.exe
3792	system.exe
2924	system.exe
4980	system.exe
536	txpc5tto.exe
5116	5mntbpxk.exe
848	system.exe
4364	system.exe
3496	dn4swajg.exe
5104	system.exe
3120	system.exe
1248	3xok_rnc.exe
2384	system.exe
4252	system.exe
3640	system.exe
920	nn5mqnjo.exe
1080	uphtcimg.exe
4444	system.exe
4192	system.exe
5116	system.exe
4880	system.exe
4324	g3uowusa.exe
2088	fa0sr_wb.exe
3664	system.exe
944	system.exe
344	system.exe
4376	system.exe
3116	3n8vzkfk.exe
5080	system.exe
4032	system.exe
4616	zrze2wro.exe
832	-7ljgoax.exe
4084	system.exe
2140	system.exe

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dn4swajg.exesystem.exe3xok_rnc.exesystem.exesystem.exesystem.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exesystem.exeuphtcimg.exefa0sr_wb.exezrze2wro.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exesystem.exenn5mqnjo.exesystem.exesystem.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exesystem.exe5mntbpxk.exeg3uowusa.exesystem.exesystem.exe3n8vzkfk.exe-7ljgoax.exethaquvrf.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dn4swajg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3xok_rnc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	uphtcimg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fa0sr_wb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	zrze2wro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	nn5mqnjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5mntbpxk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	g3uowusa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	system.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3n8vzkfk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	-7ljgoax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	thaquvrf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows System = "\"C:\\ProgramData\\113030\\system.exe\""	system.exe

Drops file in System32 directory 2 IoCs

Processes:

system.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe system.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe system.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	system.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

description	pid	process	target process
PID 4780 set thread context of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 set thread context of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4944 set thread context of 2924	4944	system.exe	system.exe
PID 4980 set thread context of 4364	4980	system.exe	system.exe
PID 848 set thread context of 5104	848	system.exe	system.exe
PID 3120 set thread context of 4252	3120	system.exe	system.exe
PID 2384 set thread context of 3640	2384	system.exe	system.exe
PID 4192 set thread context of 5116	4192	system.exe	system.exe
PID 4444 set thread context of 4880	4444	system.exe	system.exe
PID 3664 set thread context of 344	3664	system.exe	system.exe
PID 944 set thread context of 4376	944	system.exe	system.exe
PID 5080 set thread context of 4032	5080	system.exe	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
456	PING.EXE
2784	PING.EXE
3480	PING.EXE
1004	PING.EXE
4848	PING.EXE
3920	PING.EXE
1564	PING.EXE
4784	PING.EXE
2548	PING.EXE
1208	PING.EXE
1592	PING.EXE
1440	PING.EXE
1532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

thaquvrf.exesystem.exetxpc5tto.exesystem.exe5mntbpxk.exedn4swajg.exe3xok_rnc.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exePING.EXEcmd.exe

pid	process
4388	thaquvrf.exe
4388	thaquvrf.exe
4944	system.exe
4944	system.exe
536	txpc5tto.exe
536	txpc5tto.exe
2924	system.exe
5116	5mntbpxk.exe
5116	5mntbpxk.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
3496	dn4swajg.exe
3496	dn4swajg.exe
1248	3xok_rnc.exe
1248	3xok_rnc.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
976	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
976	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
2548	PING.EXE
2548	PING.EXE
2924	system.exe
2924	system.exe
2924	system.exe
2924	system.exe
3916	cmd.exe
3916	cmd.exe
2924	system.exe
2924	system.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

pid process

4376 905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

pid	process
4376	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exethaquvrf.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exesystem.exetxpc5tto.exesystem.exesystem.exedw20.exe5mntbpxk.exesystem.exedn4swajg.exesystem.exe3xok_rnc.exesystem.exenn5mqnjo.exeuphtcimg.exesystem.exesystem.exeg3uowusa.exefa0sr_wb.exesystem.exesystem.exe3n8vzkfk.exesystem.exezrze2wro.exe-7ljgoax.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Token: SeDebugPrivilege	4388	thaquvrf.exe
Token: SeDebugPrivilege	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
Token: SeDebugPrivilege	4944	system.exe
Token: SeDebugPrivilege	536	txpc5tto.exe
Token: SeDebugPrivilege	4980	system.exe
Token: SeDebugPrivilege	2924	system.exe
Token: SeBackupPrivilege	4568	dw20.exe
Token: SeBackupPrivilege	4568	dw20.exe
Token: SeDebugPrivilege	5116	5mntbpxk.exe
Token: SeDebugPrivilege	848	system.exe
Token: SeDebugPrivilege	3496	dn4swajg.exe
Token: SeDebugPrivilege	3120	system.exe
Token: SeDebugPrivilege	1248	3xok_rnc.exe
Token: SeDebugPrivilege	2384	system.exe
Token: SeDebugPrivilege	920	nn5mqnjo.exe
Token: SeDebugPrivilege	1080	uphtcimg.exe
Token: SeDebugPrivilege	4192	system.exe
Token: SeDebugPrivilege	4444	system.exe
Token: SeDebugPrivilege	4324	g3uowusa.exe
Token: SeDebugPrivilege	2088	fa0sr_wb.exe
Token: SeDebugPrivilege	3664	system.exe
Token: SeDebugPrivilege	944	system.exe
Token: SeDebugPrivilege	3116	3n8vzkfk.exe
Token: SeDebugPrivilege	5080	system.exe
Token: SeDebugPrivilege	4616	zrze2wro.exe
Token: SeDebugPrivilege	832	-7ljgoax.exe
Token: SeDebugPrivilege	4084	system.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system.exe

pid process

2924 system.exe

pid	process
2924	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.execmd.execsc.exethaquvrf.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.execmd.exesystem.execmd.execsc.exe

description	pid	process	target process
PID 4780 wrote to memory of 636	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 4780 wrote to memory of 636	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 4780 wrote to memory of 636	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 636 wrote to memory of 456	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 456	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 456	636	cmd.exe	PING.EXE
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 4376	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4780 wrote to memory of 868	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 4780 wrote to memory of 868	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 4780 wrote to memory of 868	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 868 wrote to memory of 1060	868	csc.exe	cvtres.exe
PID 868 wrote to memory of 1060	868	csc.exe	cvtres.exe
PID 868 wrote to memory of 1060	868	csc.exe	cvtres.exe
PID 4780 wrote to memory of 4388	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	thaquvrf.exe
PID 4780 wrote to memory of 4388	4780	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	thaquvrf.exe
PID 4388 wrote to memory of 2812	4388	thaquvrf.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4388 wrote to memory of 2812	4388	thaquvrf.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4388 wrote to memory of 2812	4388	thaquvrf.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 4376 wrote to memory of 4944	4376	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	system.exe
PID 4376 wrote to memory of 4944	4376	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	system.exe
PID 4376 wrote to memory of 4944	4376	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	system.exe
PID 2812 wrote to memory of 1640	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	cmd.exe
PID 1640 wrote to memory of 2784	1640	cmd.exe	PING.EXE
PID 1640 wrote to memory of 2784	1640	cmd.exe	PING.EXE
PID 1640 wrote to memory of 2784	1640	cmd.exe	PING.EXE
PID 4944 wrote to memory of 2428	4944	system.exe	cmd.exe
PID 4944 wrote to memory of 2428	4944	system.exe	cmd.exe
PID 4944 wrote to memory of 2428	4944	system.exe	cmd.exe
PID 2428 wrote to memory of 3480	2428	cmd.exe	PING.EXE
PID 2428 wrote to memory of 3480	2428	cmd.exe	PING.EXE
PID 2428 wrote to memory of 3480	2428	cmd.exe	PING.EXE
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 976	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
PID 2812 wrote to memory of 1764	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 2812 wrote to memory of 1764	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 2812 wrote to memory of 1764	2812	905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe	csc.exe
PID 4944 wrote to memory of 3792	4944	system.exe	system.exe
PID 4944 wrote to memory of 3792	4944	system.exe	system.exe
PID 4944 wrote to memory of 3792	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 4944 wrote to memory of 2924	4944	system.exe	system.exe
PID 1764 wrote to memory of 3416	1764	csc.exe	cvtres.exe
PID 1764 wrote to memory of 3416	1764	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
"C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:456
- C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
  "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\ProgramData\113030\system.exe
    "C:\ProgramData\113030\system.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:3480
  - - C:\ProgramData\113030\system.exe
      "C:\ProgramData\113030\system.exe"
      4⤵
      Executes dropped EXE
      PID:3792
  - - C:\ProgramData\113030\system.exe
      "C:\ProgramData\113030\system.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mntbpxk.cmdline"
      4⤵
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BD8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6C56.tmp"
        5⤵
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\5mntbpxk.exe
      "C:\Users\Admin\AppData\Local\Temp\5mntbpxk.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5116
    - - C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        6⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        7⤵
        Runs ping.exe
        
        PID:4784
      - C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        6⤵
        Executes dropped EXE
        
        PID:5104
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xok_rnc.cmdline"
        6⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFAFA.tmp"
        7⤵
        
        PID:3464
      - C:\Users\Admin\AppData\Local\Temp\3xok_rnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3xok_rnc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        8⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        9⤵
        Runs ping.exe
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        8⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uphtcimg.cmdline"
        8⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4BE9.tmp"
        9⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\uphtcimg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uphtcimg.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        11⤵
        Runs ping.exe
        
        PID:3920
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        10⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3uowusa.cmdline"
        10⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8019.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8008.tmp"
        11⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\g3uowusa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\g3uowusa.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        12⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        13⤵
        Runs ping.exe
        
        PID:1592
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        12⤵
        Executes dropped EXE
        
        PID:344
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3n8vzkfk.cmdline"
        12⤵
        
        PID:3304
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAD0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBACF.tmp"
        13⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3n8vzkfk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3n8vzkfk.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        14⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        15⤵
        Runs ping.exe
        
        PID:1564
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        14⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-7ljgoax.cmdline"
        14⤵
        
        PID:804
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE933.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE932.tmp"
        15⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\-7ljgoax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\-7ljgoax.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        15⤵
        Executes dropped EXE
        
        PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\thaquvrf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC179F.tmp"
    3⤵
    PID:1060
- C:\Users\Admin\AppData\Local\Temp\thaquvrf.exe
  "C:\Users\Admin\AppData\Local\Temp\thaquvrf.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
    "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe
      "C:\Users\Admin\AppData\Local\Temp\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:976
    - - C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        6⤵
        
        PID:812
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        7⤵
        Runs ping.exe
        
        PID:1004
      - C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        6⤵
        Executes dropped EXE
        
        PID:4364
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dn4swajg.cmdline"
        6⤵
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF379.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF378.tmp"
        7⤵
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\dn4swajg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dn4swajg.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3916
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        9⤵
        Runs ping.exe
        
        PID:4848
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        8⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nn5mqnjo.cmdline"
        8⤵
        
        PID:964
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC37B5.tmp"
        9⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\nn5mqnjo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nn5mqnjo.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        10⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        11⤵
        Runs ping.exe
        
        PID:1208
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        10⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fa0sr_wb.cmdline"
        10⤵
        
        PID:4600
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8171.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8170.tmp"
        11⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\fa0sr_wb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fa0sr_wb.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        12⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        13⤵
        Runs ping.exe
        
        PID:1440
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        12⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zrze2wro.cmdline"
        12⤵
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBDA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBBA.tmp"
        13⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\zrze2wro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zrze2wro.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\ProgramData\113030\system.exe
        
        "C:\ProgramData\113030\system.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
        14⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 10
        15⤵
        Runs ping.exe
        
        PID:1532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txpc5tto.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6979.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F27.tmp"
        5⤵
        
        PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\txpc5tto.exe
      "C:\Users\Admin\AppData\Local\Temp\txpc5tto.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:536
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 968
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\ProgramData\113030\system.exe

Filesize
325KB

MD5
fef59adb2c9f7f2ade645d3107c61f02

SHA1
058acd6926519431406e839c4d05ae682b280394

SHA256
905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5

SHA512
f2b4fbdb2d3e6b6d394b7037abffd8545027731c9bfff311823e74dbfb5dc1e4c31295cc398bdceacea9dd3dd285f74b2e1c1075d3edd4a5c01e542ba2e7d983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\905a7f21ee9ba4fefef67fa773a250143f6df0b061e40f8dc0f27ae0c927b9e5.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\system.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xok_rnc.exe

Filesize
3KB

MD5
57b51509f2b155b788bc29269acc32b4

SHA1
e2afe6165781806369a3869ef05d9221f022aeaf

SHA256
0d67f835bc70625278ea38144217d284122c202b8e9c1bde5738259c80bf06d5

SHA512
29562fc96a226c36e0a4b96c19b1f05480a780fcc747ee074360e30bfa01447608ce581366e6c75ba02e8c71a6e953500918fe91de755f276ce0d38419526c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xok_rnc.exe

Filesize
3KB

MD5
57b51509f2b155b788bc29269acc32b4

SHA1
e2afe6165781806369a3869ef05d9221f022aeaf

SHA256
0d67f835bc70625278ea38144217d284122c202b8e9c1bde5738259c80bf06d5

SHA512
29562fc96a226c36e0a4b96c19b1f05480a780fcc747ee074360e30bfa01447608ce581366e6c75ba02e8c71a6e953500918fe91de755f276ce0d38419526c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mntbpxk.exe

Filesize
3KB

MD5
eebdaea3ec75b2c9564f1ec693378cfe

SHA1
8ef3bb6cefb0c01c01ebcb9873003e1ffb519fcf

SHA256
4a495f3ed49bec5b845986b3abeeec148fae221eac548e0baf2e5fc23b14b6f2

SHA512
4ef5d30bfe0fe8ac5d220b5b4abed1951010b306b79af12d15be8b841443c1679f4260fa1d90a321c33ededcb514f79c2bd444d4226d2b60bb8d4fd12b206ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mntbpxk.exe

Filesize
3KB

MD5
eebdaea3ec75b2c9564f1ec693378cfe

SHA1
8ef3bb6cefb0c01c01ebcb9873003e1ffb519fcf

SHA256
4a495f3ed49bec5b845986b3abeeec148fae221eac548e0baf2e5fc23b14b6f2

SHA512
4ef5d30bfe0fe8ac5d220b5b4abed1951010b306b79af12d15be8b841443c1679f4260fa1d90a321c33ededcb514f79c2bd444d4226d2b60bb8d4fd12b206ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES17A0.tmp

Filesize
1KB

MD5
33fa8146a459fb539b5c97cb225992e5

SHA1
291f055bf08965cca0be2552714265f2e4b5e89f

SHA256
e7bc97cd9f18dcaed521994d0a5938bdb67351155dee0eaf9bf67ca817e672f8

SHA512
4371a73653c5f7c7059fb2d275bb35f4aa3a6881b6cb56f2e9681037c94664545b593eb2a7e469226ed8700e0c699c7b10fe26915f06dd2d242e4b0e25213762

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES37B6.tmp

Filesize
1KB

MD5
8dc1dd6a2f6748ee2efd5c8b37fc62ad

SHA1
245664cb3e76d750547902cbed0898cc84109306

SHA256
e21771589f30b7b381695e0bb35a1e6d0d6ccdfe3f171447a68455afb9ea5bc9

SHA512
fdb7bd05eaf4823be49a83defa656beec4d9be9c413e0d52322c83ce07f9e39474d604743352d7eecc0a98864c962e082753891a6edec1bb6178d50bb30a6b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BEA.tmp

Filesize
1KB

MD5
2b55d437c43974b1331199596e082c73

SHA1
debd5d26de442c0808014fa5eaf5199c42351848

SHA256
416b2a9c973a29be19b31897a18403986fcc4081f84858da264761703435efc8

SHA512
afcae881da710e9bafef09f00e4461aeb502b7b2c6c25109a0c624d596b351279284bacdb217655e36b2658ea4b527603af23319322b02951fca15ceddd31dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6979.tmp

Filesize
1KB

MD5
7d8421510e260220292243ab6aa628c1

SHA1
4d5bf24555401e25add17a3b135656fe0b299103

SHA256
182c37bf59e11d960eeea9f9c5b4fc1801840b5748c641000328bea520d0dfc9

SHA512
fc7fb8136a111b857b9f22458a9c023305480c2031d0aaa8f43f00cf3935d83e743da58a614db4beaa15d4b63b38237abd6a39c51bbc96c7be37f620dac9bdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BD8.tmp

Filesize
1KB

MD5
4d47b6ee58ebf0ba3579330fe81747f3

SHA1
c6f8f0647b0ccafcb29d3ac4d95f627981c417ed

SHA256
cad2de6ea9378f2f870021a51fd47a0782c4af07365584f353973651778ada2e

SHA512
4dd0689125e6b54e4dcf6dcea1eeb37cba7f927b913a51af8ce9e346aaabf8e53f3048383f7ce2f30fb450ea1562b12a1076940ff62d2c6fad17e6dcd95650b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF379.tmp

Filesize
1KB

MD5
200d8bcac43dee0698a15ee9b1d2a723

SHA1
aabb97ba37cbc24fbf9394bf7844c5bf6890f621

SHA256
91f2fa9f44b35cf2db53e6d1194e19cfb2683ef2a440d8d9fc487186980fe4dd

SHA512
6186313a154164521d0ee8f3eb1af733b80edc5f72d2b19df997e6e29710947950ba78da90645af86ff9cada39c297a9b6f01764f6ad543edd4cf5f5b995f6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFAFB.tmp

Filesize
1KB

MD5
66c716856bc1483258212f113d0c68b1

SHA1
c72d98830caaebfb3ba914a2683d385015640981

SHA256
50ea1886fb8d620514be618b0a83a5c243f76329b88b9851ec7b7f959adde830

SHA512
8689685d25e015ca93282a6d2c07ab05100300bf263c6ff88bb3d885095db7deddaa4f0eac11749397ac36f7d2eeb5a471472e6c2b6bb21db4d4838bf8957984

Download Submit
C:\Users\Admin\AppData\Local\Temp\dn4swajg.exe

Filesize
3KB

MD5
c7ebe4d59766a70b10b8d598113d1c3e

SHA1
14fec6818a0f6128adb2974a120cd4c831750ac9

SHA256
509ab07b6704e2bd9d6d5d8f8dbe233516dd7b4cd6bebc9b5b891c97b3c0fbd9

SHA512
4fa491d1752649e7bd0dcddbf6871dc5ec7510f917d919f8ee87affe0a62974c0e0678ff171a99d705f56b674e425ada7dd602864dc0630e78c33158a40377f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dn4swajg.exe

Filesize
3KB

MD5
c7ebe4d59766a70b10b8d598113d1c3e

SHA1
14fec6818a0f6128adb2974a120cd4c831750ac9

SHA256
509ab07b6704e2bd9d6d5d8f8dbe233516dd7b4cd6bebc9b5b891c97b3c0fbd9

SHA512
4fa491d1752649e7bd0dcddbf6871dc5ec7510f917d919f8ee87affe0a62974c0e0678ff171a99d705f56b674e425ada7dd602864dc0630e78c33158a40377f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nn5mqnjo.exe

Filesize
3KB

MD5
c720f374702c149af100cbb47d80e280

SHA1
aad63bb5ce458518efeb5191693c490e07b87ffa

SHA256
cfc0536c64e30db6848f587e56124362ae4dadf648af6396f124ee4fb82634b3

SHA512
6b2f21f740313eff8ba5aef26bcc14bb607c2d5d5192aa4e43d2e3a8ebd96fd450a8b9ab894fafcb0542213ce932357f6c88a92f790b238c760bea5e9a6cacf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nn5mqnjo.exe

Filesize
3KB

MD5
c720f374702c149af100cbb47d80e280

SHA1
aad63bb5ce458518efeb5191693c490e07b87ffa

SHA256
cfc0536c64e30db6848f587e56124362ae4dadf648af6396f124ee4fb82634b3

SHA512
6b2f21f740313eff8ba5aef26bcc14bb607c2d5d5192aa4e43d2e3a8ebd96fd450a8b9ab894fafcb0542213ce932357f6c88a92f790b238c760bea5e9a6cacf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\thaquvrf.exe

Filesize
3KB

MD5
0faa5a2eba0a9ae47dc6d79c6789acf7

SHA1
453e86424a3945e90cb7f43b62d7e416c1cb8757

SHA256
bde0fce9283bdc6a11d655e2e5482da2c36fe792a57eef332ff710c5a1271625

SHA512
47227817aeb92761726be3551087fcb5763e2134a3e112b2733790791fd0c67daf1f092c1526fa4792b0c8629ae142f3771a463a158727b4e5fab7dbeb1552d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\thaquvrf.exe

Filesize
3KB

MD5
0faa5a2eba0a9ae47dc6d79c6789acf7

SHA1
453e86424a3945e90cb7f43b62d7e416c1cb8757

SHA256
bde0fce9283bdc6a11d655e2e5482da2c36fe792a57eef332ff710c5a1271625

SHA512
47227817aeb92761726be3551087fcb5763e2134a3e112b2733790791fd0c67daf1f092c1526fa4792b0c8629ae142f3771a463a158727b4e5fab7dbeb1552d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\txpc5tto.exe

Filesize
3KB

MD5
e79bd29bf4f94b0f52c1475ea9e3faa6

SHA1
44476fe45223d4c22cdf2b0884181af8d6337ad9

SHA256
1b657f1da0668458a9ccc74ff09b0123e2441ff1d542aed40a7d71d1ebfcf524

SHA512
3ca53ef7d4ffa0eacf0bc1bf37c3ebb37eb7181cbfce8ec0698da6029201061e0898d483537af2f93eb7c003303c5e1a890f55db467d7dbeab1c135c4cda70e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\txpc5tto.exe

Filesize
3KB

MD5
e79bd29bf4f94b0f52c1475ea9e3faa6

SHA1
44476fe45223d4c22cdf2b0884181af8d6337ad9

SHA256
1b657f1da0668458a9ccc74ff09b0123e2441ff1d542aed40a7d71d1ebfcf524

SHA512
3ca53ef7d4ffa0eacf0bc1bf37c3ebb37eb7181cbfce8ec0698da6029201061e0898d483537af2f93eb7c003303c5e1a890f55db467d7dbeab1c135c4cda70e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uphtcimg.exe

Filesize
3KB

MD5
5f5a0e096d1a99dd11822de7af066d9b

SHA1
e07b9f6a0289b170a03b556e24b5e3c9a5dad14e

SHA256
fd23e3b1ebcc0ac1ff268589618c990998b4876196f784d7d05d42f09d791803

SHA512
447af8b7f60d4f47968ba94d6d57e60fe2df3bd7a5e5e3c911823a95da2f3fd1b5fd5032463939e41748518f1edec550a3e7d0f7ecfbcf47e94a958244b0ab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\uphtcimg.exe

Filesize
3KB

MD5
5f5a0e096d1a99dd11822de7af066d9b

SHA1
e07b9f6a0289b170a03b556e24b5e3c9a5dad14e

SHA256
fd23e3b1ebcc0ac1ff268589618c990998b4876196f784d7d05d42f09d791803

SHA512
447af8b7f60d4f47968ba94d6d57e60fe2df3bd7a5e5e3c911823a95da2f3fd1b5fd5032463939e41748518f1edec550a3e7d0f7ecfbcf47e94a958244b0ab23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xok_rnc.0.cs

Filesize
201B

MD5
72d94a953ad0ac7756b6e854e0015e29

SHA1
cccf9a8b6751594c096c2be2dd21ad22ac480aec

SHA256
3f129144478be41987475ab19ad635fee4a595d9a6f1b91a6e213c0deca5899b

SHA512
a695ce8c80344de13b00d55389b585dc7288bc1765cb5f023f208357807412b69e8e613615a8f53b671e9fe21b93f9e4cef16b1fcc20ad046e8775953c4f4f2e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3xok_rnc.cmdline

Filesize
217B

MD5
70b6610529568fe2f60e225a1ba345c6

SHA1
4278c9a0b7ebc9b1ea8046c9a1af117b335a42ee

SHA256
99ddbc2c2413c755778848744c46d99a65bab0cf2ace06a3cec78a7827ec795b

SHA512
8c7cdc7c9a49efb54809c4c3ecc13432d1e0a958f30f2a187b390079f08fb61d09936beec73d3f82ffacccdb5e5493c83c7ee15aeabaa72f6f7df4a7ed8c21ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mntbpxk.0.cs

Filesize
202B

MD5
4566d95f23a307d50604b57eddca5ec7

SHA1
6daf4d597d3f16a90bd3fabe4075941df33caa2a

SHA256
7175c9d2d152be00b3be8fa0fd1215bba4fa3dc8f6ac50131f2e789790d5d541

SHA512
96ed5a3fb7953d9f71d7b040c242a6e87a6549632351ebd5c25f4f3cb86db70268e9b1908ca3bb25a2e8a6be66ff00d90d6ec45e374c8e70a44d764950888984

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5mntbpxk.cmdline

Filesize
217B

MD5
e294df37b19c486a6a984e208a3c961f

SHA1
7cf345c9ad09365e353dadca54cd396a07bdc29e

SHA256
a0d4044bb5a95f2a1ee3e446175eeca378e65e242a02a7704475c067d71eb36b

SHA512
195fd54fbf7c08d55c688a174b86297116204faa465f91f7acd58f4190ac19c93020a88b25e77d9c375dbc30169efc481fd2869da1aeda1de0f61e37e03f7c04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC179F.tmp

Filesize
652B

MD5
fbc2f818608dd4e57608f950765b8bae

SHA1
29d6cae40e4e7e59a6dfdec840f78f1a1956c2a3

SHA256
526c1e8f0a7ea35870a8c15cfd4175678ba8ec83d88e553557004790a387fcfe

SHA512
ea06a8002a4bedb62a437773353acfc604b65905783bba825cd849b4c23e5100c5f95f9f87e447084fcddf1e68c0260da0b137706c72ff537d824053db81b6c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC37B5.tmp

Filesize
652B

MD5
c99e5f8ac60d13fa86931bf90551303a

SHA1
deff2d64861a1b63644a86c48a08806288383b5d

SHA256
dd94fb65a3d8f2b161b627cac870be1334d3113611fc756fdcf5391a8fc0889a

SHA512
086bee119ebb78fa54bd2a84c9658bc55619275264516b649fe4a56a1ea7e7d2cfb84e39378edb64793844e1670c30f7a0c93c1878af563de1a767ce4296cdc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4BE9.tmp

Filesize
652B

MD5
8531afa5fa81da11aa950601236e8355

SHA1
3a9696951ef9ad2e468bf8c6224fe71cb461b7ff

SHA256
6fbf0659b22bf489a806509100a99d90d8ca154f73e4c568b283628d683ff0c0

SHA512
8be31eff64e4818849b4b434ac6fbde9cf2632edb56472cfec50ccaad1276727dc80bb9c3d39dd7eaa182d19dcd5627de088f40ed4ecb9be2cd167bfe9b7e5ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F27.tmp

Filesize
652B

MD5
0a1ae15fc229d3094dfd1a51b3d26dfa

SHA1
adff436ad469f5d6d3710b724f7987f8dbb9628c

SHA256
9cab76f73917593e94e5e473fc2362d5ec961fea0fd60261314403340befa7b2

SHA512
49b1b98846f4b41360d850cbbc3235385030f0fbdabf522cb80b833491e3ba91ca60f32aa796cf366a07ca784a990bd7acdee45f8a872909b6bdbe1a019e9268

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6C56.tmp

Filesize
652B

MD5
3931b4aeeeac47b47e74747eface0ec1

SHA1
bdce8d8c745b53a9b9e23af181e40b9195162d15

SHA256
03c31cb8bf388bc3c561e9be39919a666f9452a8c6687e91959a43bf5924b3e4

SHA512
a592a0edc23a824fae64370fce9e02df5481dfac26ed83dc871e5c592a0a976ec3dcb6853e42173a3d60b311679c2d01f385515d8d59fb49a9c10edd4ed5c9aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8008.tmp

Filesize
652B

MD5
fbe2bdba046254da91ea912716cf7644

SHA1
53d87b5429dc46ab3eadbc13930cd89ec6b1c63e

SHA256
fd7873e7fa8552939473f17a2aea9fd8574fe41925365bc81fb6ca22dc28fec5

SHA512
fb44530b5331d3be5f135f7be8c0a2a9e5eb0011b7fedc096d4636cd6c40f1926afac1c672dc49ab18ed5057fba7ff7bd0dfb2babec9507cf9073ad2121e192e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF378.tmp

Filesize
652B

MD5
616f9614e91fe1af49f6ef75e9274315

SHA1
f4a41532c4378445c8b5042fecccac58b9b5aae9

SHA256
4236ccfeced3dc1296846b662d54d19a7b6469da975076ff16cb04e8d00cd798

SHA512
a18aaeda86f8d3b8ac08a7dfcb556bcef9711ec88830821f145b173170b61f669ccf9fb61d9710000d62444a8905dbb2330f72490974182499b266cbefcdb034

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFAFA.tmp

Filesize
652B

MD5
dd154d8064a05230017c598ba68bd47e

SHA1
9df774dfd54a7263dcbe81b6f57ab4bef5ceba3d

SHA256
3f7956a0c9ef3b9f26e54b69c23d4786490ef539da43367af7043e4b416fe1f5

SHA512
d1152e8154d2727549a3d9e49e20fcc9851b0811928fc7a94144dfc155619a5804ad1927bcb66ccb1e55344a3f259fffcd51806599cea470b85c6a41d168f609

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dn4swajg.0.cs

Filesize
202B

MD5
c3663ebf02a1cf6758d818b0b6ea78f5

SHA1
50a8ac22e3e78bb886f73c5a70a5003359298d19

SHA256
77278c1f0386e5c07c1a19e1244ecde3951f5284e4d879b739ad015c7129ef42

SHA512
027039793250cbd2614f54fd0b50d39a96c31e0758adfcb73ccdc71bfdf48994a64cee3bd3311d1b9b4ecb1a462d908fcee865d08597fda2a30e19f2a6ac7597

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dn4swajg.cmdline

Filesize
217B

MD5
538785080a36e15b903d26d35a23f107

SHA1
b81ff20372e54099f632612bf1d521d89d53966b

SHA256
f8d5b9a7a27b2468d14b9e7accfdd156c8392b998fc079eab4f91df87db9c5dd

SHA512
e65ef861213fc517b1bf6373b5b5c9671e539a8a77d36cf2eb652cca1724111d864967e4091cfa53372f7d931be9925791f18c0c7e0c6423fc25d8b649647f37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3uowusa.0.cs

Filesize
202B

MD5
93b81040e028252b0b184acdbc114acd

SHA1
d2bf2c307fdd429006786b072931838d7e96db8b

SHA256
87ce90a7a93384ffb893de97bd6c88980341c7ede0915bc22913e381cf8a87a3

SHA512
9b74cb1d5d5d54e2b3ff55879f8c06a4965bf5cba093f651f1129e77fe38cdadd0da026a01482b9cc4de794111d50fe22148786cba46b5c04d29fb15956dcf55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3uowusa.cmdline

Filesize
217B

MD5
7c7c4abfa4ca9dac1ee3c8f5b6178f88

SHA1
9f7d8bdaf7c91e28aa3d667ab76549d53adfbac0

SHA256
7b0594cc43943357d282c7422f24ddbea4933059c7ccd520ba0c48240ba21dbe

SHA512
dd9174796244a158783c4f30fff789762ae8f6d93ef19fcc8bb99c908060f7b60ea53f10584587b1072841188d4708a7502c023b82ba0f8f69bb08d468ba700b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nn5mqnjo.0.cs

Filesize
202B

MD5
14ba360c4d151ad22f1b5fcdb8be749c

SHA1
3083a9a88f6f0e5621d5511256552d89e4e9e3a1

SHA256
92465c01168a0a3637f1206b4bbd1e4ea24cb43b05dedf492ad0fbe34a870330

SHA512
1f06eebc1862ef10d153ca1a41e93611f70381922d434bebe8283fb431641470c8f310e2fbfc00c09c17e490d527b5363007bcf2f9cf2a132038011062e9a33c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nn5mqnjo.cmdline

Filesize
217B

MD5
352a2399fbbb692b6682d1d5e9cf124e

SHA1
01a32eaebc4312cb8ec35f35eed370f11cbce039

SHA256
dae3494603c4fc7d803ba77f454714e5830b0330b3a51945706746324171e6d2

SHA512
36bfd5e87dba6bea77fa0ef8932577c543246a7688ce9763a630324cff17d35c87bc12b6e172bf6e86f1f809fcf61a410651d471c27b7eb0647d1697028cafe1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\thaquvrf.0.cs

Filesize
272B

MD5
aa555cde89a83c7c5fde6a0e3adb08af

SHA1
45b900324775f78c83afca32e346bf39f148b454

SHA256
764003337eb650f1842ce9a144e75b83c47fb47b0157f34174bdfb98ec81de9c

SHA512
50df62fb715b3c95f69aa3a1eb77f84d1c8658eec6d377a90f669ce85445f706517d606cec01e214da7dd3c6377b0fd3a3eea27a20bdb3e2dc0ae60c9cd3eb47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\thaquvrf.cmdline

Filesize
217B

MD5
d8170dfdb65b7890befc6fd2cb8f3c1e

SHA1
e23b877f70e5a3d1c5591a50ef893326260515ec

SHA256
5e73f7f70859d0d86af3325cd5afeb514e2d008977ed92e14794b91ba3b01e62

SHA512
95f808b29d516fa4d69e2a28eadfca3f66dc27f3216675642b51172114059e3517156da4d635ac5a78303d7cce68f0c303d9567ab9e78e2c1a3493fc91046c55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txpc5tto.0.cs

Filesize
272B

MD5
d55d9b0c90dc2ce481a7d1c39ed8501d

SHA1
f8677bcbcf0b030de319e5bae8f5052766d6a005

SHA256
2a8866c5786342b8bd7d5f6d1e4cb9b3099359a6e6269635ef67688d45960d99

SHA512
93ca4f73522197885275a86e5183b58ac7af93553eef99148e771cd108fd7acba2c58df418b5f7daab024c2e871cba813b7a73f4765695cf96d2d923f1cf2728

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txpc5tto.cmdline

Filesize
217B

MD5
3b487afdec0ea2344a755816c83c6022

SHA1
4573551db502d6dfd5ace13834733cb365552e40

SHA256
751fbcc955088d6543e5342d3aaf9f5b56560b1a0f2473b2cfc65a1e4836bfa9

SHA512
fda790977a4cadb4d8f3eb19cb0577c51cd5e4717ca8d02b944efce8098f60253ee861168158fd09cb73fa37fc37cb27cb36beb821b3e0db37dd1db9d26e9cd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uphtcimg.0.cs

Filesize
202B

MD5
818ba60d138395cc273df16b1b84da0c

SHA1
1798558749f43e560b050a8c71d2998b7ece516d

SHA256
6cb725ff0fea41a0be70893bcd59cd098fd7ba57a11f4722da751b854c9bf9af

SHA512
fbb1497f11d193c9acf7d7cbf53f9814eef820ca9221bea9396623a26fe08bedd4c7def9a51b241279816b7101cde24bfa228d6b834f97ddff152f3c71899b34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uphtcimg.cmdline

Filesize
217B

MD5
729f7fcb5c31d0c1b72cebaf5f503798

SHA1
47fa772fc093cd93fe6dbe22c02c574418302cf5

SHA256
9acf3e8a08c15d8a145d9ca73e53778dc53cea566951be0c2d6a958fa21015ed

SHA512
c8543be4aa687dac81bb2db3a85f1a2a71394ae43d20e078b27e9a7e48eee519567f556fb1a839bb73154f4065453df7f5f358c6aa2e88914da674503a0bbe07

Download Submit
memory/344-396-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/456-134-0x0000000000000000-mapping.dmp

Download
memory/536-194-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/536-191-0x0000000000000000-mapping.dmp

Download
memory/636-133-0x0000000000000000-mapping.dmp

Download
memory/812-203-0x0000000000000000-mapping.dmp

Download
memory/848-227-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/848-208-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/848-204-0x0000000000000000-mapping.dmp

Download
memory/848-247-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/868-138-0x0000000000000000-mapping.dmp

Download
memory/920-304-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/920-302-0x0000000000000000-mapping.dmp

Download
memory/944-427-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/944-389-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/944-374-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/964-280-0x0000000000000000-mapping.dmp

Download
memory/964-289-0x0000000000950000-0x0000000000967000-memory.dmp

Filesize
92KB

Download
memory/964-288-0x0000000000950000-0x0000000000967000-memory.dmp

Filesize
92KB

Download
memory/964-290-0x0000000000950000-0x0000000000967000-memory.dmp

Filesize
92KB

Download
memory/976-294-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/976-184-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/976-256-0x00000000070A0000-0x00000000070B7000-memory.dmp

Filesize
92KB

Download
memory/976-255-0x00000000070A0000-0x00000000070B7000-memory.dmp

Filesize
92KB

Download
memory/976-163-0x0000000000000000-mapping.dmp

Download
memory/976-254-0x00000000070A0000-0x00000000070B7000-memory.dmp

Filesize
92KB

Download
memory/976-170-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/1004-207-0x0000000000000000-mapping.dmp

Download
memory/1060-141-0x0000000000000000-mapping.dmp

Download
memory/1080-308-0x0000000000000000-mapping.dmp

Download
memory/1080-310-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/1132-349-0x0000000000000000-mapping.dmp

Download
memory/1208-328-0x0000000000000000-mapping.dmp

Download
memory/1208-338-0x00000000014B0000-0x00000000014C7000-memory.dmp

Filesize
92KB

Download
memory/1208-340-0x00000000014B0000-0x00000000014C7000-memory.dmp

Filesize
92KB

Download
memory/1208-339-0x00000000014B0000-0x00000000014C7000-memory.dmp

Filesize
92KB

Download
memory/1248-246-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/1248-243-0x0000000000000000-mapping.dmp

Download
memory/1640-156-0x0000000000000000-mapping.dmp

Download
memory/1724-287-0x0000000000000000-mapping.dmp

Download
memory/1764-166-0x0000000000000000-mapping.dmp

Download
memory/1768-346-0x0000000000000000-mapping.dmp

Download
memory/1836-355-0x0000000000000000-mapping.dmp

Download
memory/2088-365-0x0000000000000000-mapping.dmp

Download
memory/2088-366-0x00007FF99AC70000-0x00007FF99B6A6000-memory.dmp

Filesize
10.2MB

Download
memory/2136-291-0x0000000000000000-mapping.dmp

Download
memory/2140-437-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2384-273-0x0000000007110000-0x0000000007127000-memory.dmp

Filesize
92KB

Download
memory/2384-272-0x0000000007110000-0x0000000007127000-memory.dmp

Filesize
92KB

Download
memory/2384-249-0x0000000000000000-mapping.dmp

Download
memory/2384-251-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2384-274-0x0000000007110000-0x0000000007127000-memory.dmp

Filesize
92KB

Download
memory/2384-312-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2384-279-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2428-158-0x0000000000000000-mapping.dmp

Download
memory/2548-253-0x0000000000000000-mapping.dmp

Download
memory/2548-257-0x0000000000F70000-0x0000000000F87000-memory.dmp

Filesize
92KB

Download
memory/2548-258-0x0000000000F70000-0x0000000000F87000-memory.dmp

Filesize
92KB

Download
memory/2548-259-0x0000000000F70000-0x0000000000F87000-memory.dmp

Filesize
92KB

Download
memory/2656-177-0x0000000000000000-mapping.dmp

Download
memory/2784-157-0x0000000000000000-mapping.dmp

Download
memory/2812-195-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-150-0x0000000000000000-mapping.dmp

Download
memory/2812-162-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-152-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2912-209-0x0000000000000000-mapping.dmp

Download
memory/2924-172-0x0000000000000000-mapping.dmp

Download
memory/2924-185-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/2924-176-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3120-240-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3120-265-0x00000000074D0000-0x00000000074E7000-memory.dmp

Filesize
92KB

Download
memory/3120-264-0x00000000074D0000-0x00000000074E7000-memory.dmp

Filesize
92KB

Download
memory/3120-263-0x00000000074D0000-0x00000000074E7000-memory.dmp

Filesize
92KB

Download
memory/3120-306-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3120-237-0x0000000000000000-mapping.dmp

Download
memory/3120-275-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3416-175-0x0000000000000000-mapping.dmp

Download
memory/3464-234-0x0000000000000000-mapping.dmp

Download
memory/3480-159-0x0000000000000000-mapping.dmp

Download
memory/3496-223-0x0000000000000000-mapping.dmp

Download
memory/3496-225-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/3600-270-0x0000000000E80000-0x0000000000E97000-memory.dmp

Filesize
92KB

Download
memory/3600-269-0x0000000000E80000-0x0000000000E97000-memory.dmp

Filesize
92KB

Download
memory/3600-252-0x0000000000000000-mapping.dmp

Download
memory/3600-271-0x0000000000E80000-0x0000000000E97000-memory.dmp

Filesize
92KB

Download
memory/3640-311-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3640-292-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3640-281-0x0000000000000000-mapping.dmp

Download
memory/3664-368-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3664-388-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3664-393-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3664-369-0x0000000007A90000-0x0000000007AA7000-memory.dmp

Filesize
92KB

Download
memory/3692-218-0x0000000000000000-mapping.dmp

Download
memory/3744-231-0x0000000000000000-mapping.dmp

Download
memory/3792-169-0x0000000000000000-mapping.dmp

Download
memory/3916-261-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/3916-244-0x0000000000000000-mapping.dmp

Download
memory/3916-260-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/3916-262-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/3920-332-0x0000000000A90000-0x0000000000AA7000-memory.dmp

Filesize
92KB

Download
memory/3920-334-0x0000000000A90000-0x0000000000AA7000-memory.dmp

Filesize
92KB

Download
memory/3920-333-0x0000000000A90000-0x0000000000AA7000-memory.dmp

Filesize
92KB

Download
memory/3920-327-0x0000000000000000-mapping.dmp

Download
memory/4032-418-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-417-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-430-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-322-0x0000000007660000-0x0000000007677000-memory.dmp

Filesize
92KB

Download
memory/4192-316-0x0000000000000000-mapping.dmp

Download
memory/4192-343-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-324-0x0000000007660000-0x0000000007677000-memory.dmp

Filesize
92KB

Download
memory/4192-323-0x0000000007660000-0x0000000007677000-memory.dmp

Filesize
92KB

Download
memory/4192-318-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4192-359-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-276-0x0000000000000000-mapping.dmp

Download
memory/4252-286-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-305-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-357-0x0000000000000000-mapping.dmp

Download
memory/4324-358-0x00007FF99AC70000-0x00007FF99B6A6000-memory.dmp

Filesize
10.2MB

Download
memory/4360-215-0x0000000000000000-mapping.dmp

Download
memory/4364-330-0x0000000000B40000-0x0000000000B57000-memory.dmp

Filesize
92KB

Download
memory/4364-212-0x0000000000000000-mapping.dmp

Download
memory/4364-235-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-220-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4364-325-0x0000000000000000-mapping.dmp

Download
memory/4364-331-0x0000000000B40000-0x0000000000B57000-memory.dmp

Filesize
92KB

Download
memory/4364-329-0x0000000000B40000-0x0000000000B57000-memory.dmp

Filesize
92KB

Download
memory/4376-199-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-148-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-161-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-415-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-136-0x0000000000000000-mapping.dmp

Download
memory/4376-398-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4388-149-0x00007FF99B730000-0x00007FF99C166000-memory.dmp

Filesize
10.2MB

Download
memory/4388-145-0x0000000000000000-mapping.dmp

Download
memory/4444-319-0x0000000006240000-0x0000000006257000-memory.dmp

Filesize
92KB

Download
memory/4444-367-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-315-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-313-0x0000000000000000-mapping.dmp

Download
memory/4444-341-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-320-0x0000000006240000-0x0000000006257000-memory.dmp

Filesize
92KB

Download
memory/4444-321-0x0000000006240000-0x0000000006257000-memory.dmp

Filesize
92KB

Download
memory/4568-201-0x0000000000000000-mapping.dmp

Download
memory/4600-354-0x0000000000000000-mapping.dmp

Download
memory/4656-298-0x0000000000000000-mapping.dmp

Download
memory/4776-326-0x0000000000000000-mapping.dmp

Download
memory/4776-337-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download
memory/4776-335-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download
memory/4776-336-0x00000000009D0000-0x00000000009E7000-memory.dmp

Filesize
92KB

Download
memory/4780-132-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4780-147-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4780-135-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4784-210-0x0000000000000000-mapping.dmp

Download
memory/4848-248-0x0000000000000000-mapping.dmp

Download
memory/4848-267-0x0000000000FF0000-0x0000000001007000-memory.dmp

Filesize
92KB

Download
memory/4848-268-0x0000000000FF0000-0x0000000001007000-memory.dmp

Filesize
92KB

Download
memory/4848-266-0x0000000000FF0000-0x0000000001007000-memory.dmp

Filesize
92KB

Download
memory/4880-361-0x0000000006B50000-0x0000000006B67000-memory.dmp

Filesize
92KB

Download
memory/4880-363-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-364-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-360-0x0000000006B50000-0x0000000006B67000-memory.dmp

Filesize
92KB

Download
memory/4880-362-0x0000000006B50000-0x0000000006B67000-memory.dmp

Filesize
92KB

Download
memory/4880-350-0x0000000000000000-mapping.dmp

Download
memory/4920-182-0x0000000000000000-mapping.dmp

Download
memory/4944-200-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-160-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-165-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-153-0x0000000000000000-mapping.dmp

Download
memory/4980-196-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-226-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-189-0x0000000000000000-mapping.dmp

Download
memory/4980-211-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-411-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-422-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-429-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-241-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5104-228-0x0000000000000000-mapping.dmp

Download
memory/5116-356-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-202-0x00007FF99B7E0000-0x00007FF99C216000-memory.dmp

Filesize
10.2MB

Download
memory/5116-197-0x0000000000000000-mapping.dmp

Download
memory/5116-342-0x0000000000000000-mapping.dmp

Download