netwire | 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OInstall.exe
Size

15.2MB
MD5

38be94769e4f59d9a90e551e505c2e07
SHA1

cac71ca2dd32cbe99614870ef01851e0d54bff84
SHA256

3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956
SHA512

47ef669a5be744235e10ba65d7deb8bdd46544cd6dc4532fa4b43fdc3b5d9b6b49febbef8906870b321281c47ca45f9b679e65eabfeffbf6deffc96fa27e24a5
SSDEEP

393216:J8/uxLqG0/kfQslis6SAVDfINRPcji3Zhtnh0:Bv0/kr8s6SA5QUji3ZhtnK

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

qayshaija.ddns.net:1515

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 28 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/884-161-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/884-166-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/884-168-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1328-176-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4292-185-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4120-194-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2288-202-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/884-211-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1688-212-0x0000000001080000-0x0000000001090000-memory.dmp	netwire
behavioral1/memory/1320-213-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2460-220-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/3336-228-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/3244-236-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/3436-247-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4576-253-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/424-262-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/3404-270-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2756-281-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2404-290-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/640-299-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4740-306-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4748-315-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1072-316-0x00000000055D0000-0x00000000055E0000-memory.dmp	netwire
behavioral1/memory/2680-323-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4544-332-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/872-340-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/3152-349-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/4976-350-0x0000000005110000-0x0000000005120000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

install.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exeinstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	OInstall.exe

Executes dropped EXE 64 IoCs

Processes:

pid	process
4572	install.exe
4176	install.exe
3264	install.exe
3780	install.exe
3696	install.exe
4980	install.exe
1688	install.exe
3048	install.exe
4160	install.exe
920	install.exe
5032	install.exe
1912	install.exe
3656	install.exe
4228	install.exe
2608	install.exe
5016	install.exe
820	install.exe
2520	install.exe
4528	install.exe
4200	install.exe
1796	install.exe
3672	install.exe
4976	install.exe
1072	install.exe
2552	install.exe
2352	install.exe
4888	install.exe
1128	install.exe
3684	install.exe
540	install.exe
4448	install.exe
4596	install.exe
220	install.exe
4736	install.exe
4980	install.exe
396	install.exe
1084	install.exe
4252	install.exe
2448	install.exe
4572	install.exe
4196	install.exe
3288	install.exe
3976	install.exe
1632	install.exe
4964	install.exe
5048	install.exe
4476	install.exe
4208	install.exe
2268	install.exe
2972	install.exe
3620	install.exe
1924	install.exe
4728	install.exe
3696	install.exe
1624	install.exe
3360	install.exe
4284	install.exe
2368	install.exe
2112	install.exe
1804	install.exe
3904	install.exe
372	install.exe
840	install.exe
3264	install.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

description	pid	process	target process
PID 4572 set thread context of 884	4572	install.exe	RegAsm.exe
PID 4176 set thread context of 1328	4176	install.exe	RegAsm.exe
PID 3264 set thread context of 4292	3264	install.exe	RegAsm.exe
PID 3780 set thread context of 4120	3780	install.exe	RegAsm.exe
PID 3696 set thread context of 2288	3696	install.exe	RegAsm.exe
PID 4980 set thread context of 1320	4980	install.exe	RegAsm.exe
PID 1688 set thread context of 2460	1688	install.exe	RegAsm.exe
PID 3048 set thread context of 3336	3048	install.exe	RegAsm.exe
PID 4160 set thread context of 3244	4160	install.exe	RegAsm.exe
PID 920 set thread context of 3436	920	install.exe	RegAsm.exe
PID 5032 set thread context of 4576	5032	install.exe	RegAsm.exe
PID 1912 set thread context of 424	1912	install.exe	RegAsm.exe
PID 3656 set thread context of 3404	3656	install.exe	RegAsm.exe
PID 4228 set thread context of 2756	4228	install.exe	RegAsm.exe
PID 2608 set thread context of 2404	2608	install.exe	RegAsm.exe
PID 5016 set thread context of 640	5016	install.exe	RegAsm.exe
PID 820 set thread context of 4740	820	install.exe	RegAsm.exe
PID 2520 set thread context of 4748	2520	install.exe	RegAsm.exe
PID 4528 set thread context of 2680	4528	install.exe	RegAsm.exe
PID 4200 set thread context of 4544	4200	install.exe	RegAsm.exe
PID 1796 set thread context of 872	1796	install.exe	RegAsm.exe
PID 3672 set thread context of 3152	3672	install.exe	RegAsm.exe
PID 4976 set thread context of 4144	4976	install.exe	RegAsm.exe
PID 1072 set thread context of 1684	1072	install.exe	RegAsm.exe
PID 2552 set thread context of 1584	2552	install.exe	RegAsm.exe
PID 2352 set thread context of 3076	2352	install.exe	RegAsm.exe
PID 4888 set thread context of 3584	4888	install.exe	RegAsm.exe
PID 1128 set thread context of 1772	1128	install.exe	RegAsm.exe
PID 3684 set thread context of 4768	3684	install.exe	RegAsm.exe
PID 540 set thread context of 1640	540	install.exe	RegAsm.exe
PID 4448 set thread context of 5108	4448	install.exe	RegAsm.exe
PID 4596 set thread context of 1828	4596	install.exe	RegAsm.exe
PID 220 set thread context of 4828	220	install.exe	RegAsm.exe
PID 4736 set thread context of 4152	4736	install.exe	RegAsm.exe
PID 4980 set thread context of 460	4980	install.exe	RegAsm.exe
PID 396 set thread context of 1368	396	install.exe	RegAsm.exe
PID 1084 set thread context of 2024	1084	install.exe	RegAsm.exe
PID 4252 set thread context of 4064	4252	install.exe	RegAsm.exe
PID 2448 set thread context of 3284	2448	install.exe	RegAsm.exe
PID 4572 set thread context of 4904	4572	install.exe	RegAsm.exe
PID 4196 set thread context of 628	4196	install.exe	RegAsm.exe
PID 3288 set thread context of 1800	3288	install.exe	RegAsm.exe
PID 3976 set thread context of 1860	3976	install.exe	RegAsm.exe
PID 1632 set thread context of 4984	1632	install.exe	RegAsm.exe
PID 4964 set thread context of 5044	4964	install.exe	RegAsm.exe
PID 5048 set thread context of 2260	5048	install.exe	RegAsm.exe
PID 4476 set thread context of 4508	4476	install.exe	RegAsm.exe
PID 2268 set thread context of 800	2268	install.exe	RegAsm.exe
PID 2972 set thread context of 2948	2972	install.exe	RegAsm.exe
PID 3620 set thread context of 796	3620	install.exe	RegAsm.exe
PID 1924 set thread context of 224	1924	install.exe	RegAsm.exe
PID 4728 set thread context of 1856	4728	install.exe	RegAsm.exe
PID 3696 set thread context of 3420	3696	install.exe	RegAsm.exe
PID 1624 set thread context of 1424	1624	install.exe	RegAsm.exe
PID 3360 set thread context of 444	3360	install.exe	RegAsm.exe
PID 4284 set thread context of 2140	4284	install.exe	RegAsm.exe
PID 2368 set thread context of 4028	2368	install.exe	RegAsm.exe
PID 2112 set thread context of 2264	2112	install.exe	RegAsm.exe
PID 1804 set thread context of 3752	1804	install.exe	RegAsm.exe
PID 3904 set thread context of 1000	3904	install.exe	RegAsm.exe
PID 372 set thread context of 3444	372	install.exe	RegAsm.exe
PID 840 set thread context of 3440	840	install.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
4572	install.exe
4176	install.exe
3264	install.exe
3780	install.exe
3696	install.exe
4980	install.exe
1688	install.exe
3048	install.exe
4160	install.exe
920	install.exe
5032	install.exe
1912	install.exe
3656	install.exe
4228	install.exe
2608	install.exe
2608	install.exe
5016	install.exe
820	install.exe
820	install.exe
2520	install.exe
2520	install.exe
4528	install.exe
4200	install.exe
4200	install.exe
1796	install.exe
3672	install.exe
4976	install.exe
1072	install.exe
2552	install.exe
2552	install.exe
2352	install.exe
2352	install.exe
4888	install.exe
1128	install.exe
3684	install.exe
540	install.exe
4448	install.exe
4596	install.exe
220	install.exe
220	install.exe
4736	install.exe
4980	install.exe
396	install.exe
1084	install.exe
1084	install.exe
4252	install.exe
2448	install.exe
4572	install.exe
4572	install.exe
4196	install.exe
4196	install.exe
3288	install.exe
3976	install.exe
1632	install.exe
4964	install.exe
5048	install.exe
4476	install.exe
2268	install.exe
2972	install.exe
2972	install.exe
3620	install.exe
1924	install.exe
4728	install.exe
3696	install.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
4404	OInstall.exe
4404	OInstall.exe
4404	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
948	OInstall.exe
948	OInstall.exe
948	OInstall.exe
948	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
4024	OInstall.exe
4024	OInstall.exe
4024	OInstall.exe
896	OInstall.exe
896	OInstall.exe
896	OInstall.exe
896	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
1052	OInstall.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1244	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
1396	OInstall.exe
4404	OInstall.exe
4404	OInstall.exe
4404	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
4184	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
2448	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
4844	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
3612	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2724	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
2612	OInstall.exe
948	OInstall.exe
948	OInstall.exe
948	OInstall.exe
948	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
2264	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
3708	OInstall.exe
4024	OInstall.exe
4024	OInstall.exe
4024	OInstall.exe
896	OInstall.exe
896	OInstall.exe
896	OInstall.exe
896	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
3904	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
2648	OInstall.exe
1052	OInstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeOInstall.exeinstall.exeinstall.exeOInstall.exeinstall.exeOInstall.exeinstall.exe

description	pid	process	target process
PID 1244 wrote to memory of 1396	1244	OInstall.exe	OInstall.exe
PID 1244 wrote to memory of 1396	1244	OInstall.exe	OInstall.exe
PID 1244 wrote to memory of 1396	1244	OInstall.exe	OInstall.exe
PID 1244 wrote to memory of 4572	1244	OInstall.exe	install.exe
PID 1244 wrote to memory of 4572	1244	OInstall.exe	install.exe
PID 1244 wrote to memory of 4572	1244	OInstall.exe	install.exe
PID 1396 wrote to memory of 4404	1396	OInstall.exe	OInstall.exe
PID 1396 wrote to memory of 4404	1396	OInstall.exe	OInstall.exe
PID 1396 wrote to memory of 4404	1396	OInstall.exe	OInstall.exe
PID 1396 wrote to memory of 4176	1396	OInstall.exe	install.exe
PID 1396 wrote to memory of 4176	1396	OInstall.exe	install.exe
PID 1396 wrote to memory of 4176	1396	OInstall.exe	install.exe
PID 4404 wrote to memory of 4184	4404	OInstall.exe	OInstall.exe
PID 4404 wrote to memory of 4184	4404	OInstall.exe	OInstall.exe
PID 4404 wrote to memory of 4184	4404	OInstall.exe	OInstall.exe
PID 4404 wrote to memory of 3264	4404	OInstall.exe	install.exe
PID 4404 wrote to memory of 3264	4404	OInstall.exe	install.exe
PID 4404 wrote to memory of 3264	4404	OInstall.exe	install.exe
PID 4184 wrote to memory of 2448	4184	OInstall.exe	OInstall.exe
PID 4184 wrote to memory of 2448	4184	OInstall.exe	OInstall.exe
PID 4184 wrote to memory of 2448	4184	OInstall.exe	OInstall.exe
PID 4184 wrote to memory of 3780	4184	OInstall.exe	install.exe
PID 4184 wrote to memory of 3780	4184	OInstall.exe	install.exe
PID 4184 wrote to memory of 3780	4184	OInstall.exe	install.exe
PID 2448 wrote to memory of 4844	2448	OInstall.exe	OInstall.exe
PID 2448 wrote to memory of 4844	2448	OInstall.exe	OInstall.exe
PID 2448 wrote to memory of 4844	2448	OInstall.exe	OInstall.exe
PID 2448 wrote to memory of 3696	2448	OInstall.exe	install.exe
PID 2448 wrote to memory of 3696	2448	OInstall.exe	install.exe
PID 2448 wrote to memory of 3696	2448	OInstall.exe	install.exe
PID 4844 wrote to memory of 3612	4844	OInstall.exe	OInstall.exe
PID 4844 wrote to memory of 3612	4844	OInstall.exe	OInstall.exe
PID 4844 wrote to memory of 3612	4844	OInstall.exe	OInstall.exe
PID 4844 wrote to memory of 4980	4844	OInstall.exe	install.exe
PID 4844 wrote to memory of 4980	4844	OInstall.exe	install.exe
PID 4844 wrote to memory of 4980	4844	OInstall.exe	install.exe
PID 3612 wrote to memory of 2724	3612	OInstall.exe	OInstall.exe
PID 3612 wrote to memory of 2724	3612	OInstall.exe	OInstall.exe
PID 3612 wrote to memory of 2724	3612	OInstall.exe	OInstall.exe
PID 3612 wrote to memory of 1688	3612	OInstall.exe	install.exe
PID 3612 wrote to memory of 1688	3612	OInstall.exe	install.exe
PID 3612 wrote to memory of 1688	3612	OInstall.exe	install.exe
PID 4572 wrote to memory of 884	4572	install.exe	RegAsm.exe
PID 4572 wrote to memory of 884	4572	install.exe	RegAsm.exe
PID 4572 wrote to memory of 884	4572	install.exe	RegAsm.exe
PID 4572 wrote to memory of 884	4572	install.exe	RegAsm.exe
PID 4176 wrote to memory of 1328	4176	install.exe	RegAsm.exe
PID 4176 wrote to memory of 1328	4176	install.exe	RegAsm.exe
PID 4176 wrote to memory of 1328	4176	install.exe	RegAsm.exe
PID 4176 wrote to memory of 1328	4176	install.exe	RegAsm.exe
PID 2724 wrote to memory of 2612	2724	OInstall.exe	OInstall.exe
PID 2724 wrote to memory of 2612	2724	OInstall.exe	OInstall.exe
PID 2724 wrote to memory of 2612	2724	OInstall.exe	OInstall.exe
PID 2724 wrote to memory of 3048	2724	OInstall.exe	install.exe
PID 2724 wrote to memory of 3048	2724	OInstall.exe	install.exe
PID 2724 wrote to memory of 3048	2724	OInstall.exe	install.exe
PID 3264 wrote to memory of 4292	3264	install.exe	RegAsm.exe
PID 3264 wrote to memory of 4292	3264	install.exe	RegAsm.exe
PID 3264 wrote to memory of 4292	3264	install.exe	RegAsm.exe
PID 3264 wrote to memory of 4292	3264	install.exe	RegAsm.exe
PID 2612 wrote to memory of 948	2612	OInstall.exe	OInstall.exe
PID 2612 wrote to memory of 948	2612	OInstall.exe	OInstall.exe
PID 2612 wrote to memory of 948	2612	OInstall.exe	OInstall.exe
PID 3780 wrote to memory of 4120	3780	install.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
4⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
5⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
6⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
7⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
8⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
9⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
10⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
11⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
12⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3708

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
13⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4024

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
14⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:896

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
15⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3904

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
16⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
17⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
18⤵
- Checks computer location settings
PID:548

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
19⤵
- Checks computer location settings
PID:1020

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
20⤵
- Checks computer location settings
PID:4456

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
21⤵
- Checks computer location settings
PID:4828

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
22⤵
- Checks computer location settings
PID:3740

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
23⤵
- Checks computer location settings
PID:460

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
24⤵
- Checks computer location settings
PID:4024

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
25⤵
- Checks computer location settings
PID:3848

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
26⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
27⤵
- Checks computer location settings
PID:1640

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
28⤵
- Checks computer location settings
PID:4276

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
29⤵
- Checks computer location settings
PID:976

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
30⤵
- Checks computer location settings
PID:4872

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
31⤵
- Checks computer location settings
PID:2608

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
32⤵
- Checks computer location settings
PID:3740

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
33⤵
- Checks computer location settings
PID:3604

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
34⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
35⤵
- Checks computer location settings
PID:436

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
36⤵
- Checks computer location settings
PID:2040

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
37⤵
- Checks computer location settings
PID:2456

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
38⤵
- Checks computer location settings
PID:4996

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
39⤵
- Checks computer location settings
PID:4032

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
40⤵
- Checks computer location settings
PID:3972

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
41⤵
- Checks computer location settings
PID:1512

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
42⤵
- Checks computer location settings
PID:2972

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
43⤵
- Checks computer location settings
PID:3492

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
44⤵
- Checks computer location settings
PID:4628

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
45⤵
- Checks computer location settings
PID:4680

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
46⤵
- Checks computer location settings
PID:2040

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
47⤵
- Checks computer location settings
PID:2456

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
48⤵
- Checks computer location settings
PID:1880

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
49⤵
- Checks computer location settings
PID:2324

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
50⤵
- Checks computer location settings
PID:840

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
51⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
52⤵
- Checks computer location settings
PID:3236

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
53⤵
- Checks computer location settings
PID:5052

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
54⤵
- Checks computer location settings
PID:1804

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
55⤵
- Checks computer location settings
PID:788

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
56⤵
- Checks computer location settings
PID:2456

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
57⤵
- Checks computer location settings
PID:2140

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
58⤵
- Checks computer location settings
PID:5020

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
59⤵
- Checks computer location settings
PID:4928

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
60⤵
- Checks computer location settings
PID:4436

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
61⤵
- Checks computer location settings
PID:5000

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
62⤵
- Checks computer location settings
PID:3616

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
63⤵
- Checks computer location settings
PID:4560

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
64⤵
- Checks computer location settings
PID:4620

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
65⤵
- Checks computer location settings
PID:1268

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
66⤵
- Checks computer location settings
PID:2196

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
67⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
68⤵
- Checks computer location settings
PID:2984

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
69⤵
- Checks computer location settings
PID:1512

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
70⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
70⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:1704

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
69⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:652

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
68⤵
- Enumerates system info in registry
PID:4248

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
67⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:4184

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
66⤵
- Checks BIOS information in registry
PID:3084

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
65⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:3264

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
64⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
65⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
63⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
64⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
62⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:3904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
63⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
61⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
62⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
62⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
60⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
61⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
59⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:2368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
60⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
60⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
58⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:4284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
59⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
57⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
58⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
56⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:1624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
57⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
57⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
55⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
56⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
54⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
55⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
53⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
54⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
52⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
53⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
51⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
52⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
52⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
50⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:2268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
51⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
49⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:4208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
50⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
48⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
49⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
47⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:5048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
48⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
46⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
47⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
45⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
46⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
44⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
45⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
43⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
44⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
42⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
43⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
43⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
41⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
42⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
42⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
40⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
41⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
40⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
38⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
39⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
39⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
38⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
36⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
37⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
35⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
36⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
34⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
35⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
35⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
33⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
34⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
32⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
33⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
32⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
30⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
31⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
29⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
30⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
28⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
29⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
27⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
28⤵
PID:3232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
28⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
26⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
27⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
27⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
25⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
26⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
24⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
25⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
23⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
24⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
22⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
23⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
21⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
22⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
22⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
20⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
21⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
19⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
20⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
20⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
19⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
19⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
17⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:5016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
18⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
16⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
17⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
17⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
15⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:4228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
16⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
14⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
15⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
13⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
14⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
12⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:5032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
13⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
11⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
12⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
10⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
11⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
9⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
10⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
8⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
9⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
8⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
PID:3696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
7⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
6⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
5⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
4⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
3⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\install.exe.log
Filesize
520B

MD5
3ca2f9e6a94c24c455ac9431a0bf479b

SHA1
a90309eec691588990609f8f8ad9b935d6f38eb2

SHA256
e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e

SHA512
ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe
Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
memory/424-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/640-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/872-340-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-211-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/920-203-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/920-238-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1072-316-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1072-359-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1320-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1328-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1688-169-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/1688-212-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/1796-291-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1912-215-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/1912-256-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2288-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2404-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2460-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-264-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2608-244-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2680-323-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2756-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3048-179-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3048-221-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3152-349-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3244-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3264-177-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3264-150-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3336-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3404-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3436-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3656-223-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/3656-263-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/3684-358-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/3696-154-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3696-196-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3780-152-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3780-186-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4120-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4160-229-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4160-195-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4176-148-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/4176-158-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/4200-325-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4200-282-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4228-237-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4228-273-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4292-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4544-332-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4572-146-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/4572-144-0x0000000000C70000-0x0000000000CC2000-memory.dmp

Filesize
328KB

Download
memory/4572-164-0x00000000056C0000-0x00000000056C3000-memory.dmp

Filesize
12KB

Download
memory/4572-145-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4572-155-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4576-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4740-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4748-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4976-350-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4980-204-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/4980-157-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/5016-254-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/5032-209-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/5032-246-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download