formbook | 6b25163b440dd83a1bff2789bd9f2f1631c37c5b80fbff10b909edc364c69ec2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MajorRevision.exe
Size

348KB
MD5

93b2754b3afa34b828cb071f036a8d31
SHA1

db5fe2d1ac4bebb309b76dfa01dd6024152d8963
SHA256

42dc8c1b59e676d065485a22fb11939ad1eac5114d0aba1e841cc404ebc08305
SHA512

627109227413f4caa4390a203a6cac2a526656f7a7cd2bb8dbafc6ede6f6af4f7646a19c67a30568374e331c2671286244482c9d44416069997838876bae4db4
SSDEEP

6144:AKWU8NrrXs+WsHmwZTbiDXRGgXn7jto/miDSEMZGlEjqZSHeQbn:AU8pIdxn7jevD1XM

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 20 IoCs

rat

resource	yara_rule
behavioral2/memory/1232-137-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1232-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2716-151-0x0000000000D70000-0x0000000000D9F000-memory.dmp	formbook
behavioral2/memory/2716-158-0x0000000000D70000-0x0000000000D9F000-memory.dmp	formbook
behavioral2/memory/4632-160-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2228-164-0x0000000000120000-0x000000000014F000-memory.dmp	formbook
behavioral2/memory/2324-178-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3884-182-0x0000000000C50000-0x0000000000C7F000-memory.dmp	formbook
behavioral2/memory/2672-188-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1816-197-0x0000000000760000-0x000000000078F000-memory.dmp	formbook
behavioral2/memory/3740-205-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4844-214-0x0000000000B30000-0x0000000000B5F000-memory.dmp	formbook
behavioral2/memory/4844-220-0x0000000000B30000-0x0000000000B5F000-memory.dmp	formbook
behavioral2/memory/4120-229-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4996-237-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/3276-246-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5000-250-0x0000000000800000-0x000000000082F000-memory.dmp	formbook
behavioral2/memory/180-263-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1652-268-0x0000000000360000-0x000000000038F000-memory.dmp	formbook
behavioral2/memory/1840-279-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MajorRevision.exe

Suspicious use of SetThreadContext 57 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 1232	4480	MajorRevision.exe	86
PID 1232 set thread context of 3232	1232	RegSvcs.exe	36
PID 1276 set thread context of 4632	1276	MajorRevision.exe	93
PID 4632 set thread context of 3232	4632	RegSvcs.exe	36
PID 2480 set thread context of 2324	2480	MajorRevision.exe	100
PID 2324 set thread context of 3232	2324	RegSvcs.exe	36
PID 2716 set thread context of 3232	2716	cmd.exe	36
PID 2168 set thread context of 2672	2168	MajorRevision.exe	109
PID 2672 set thread context of 3232	2672	RegSvcs.exe	36
PID 5104 set thread context of 3740	5104	MajorRevision.exe	116
PID 3740 set thread context of 3232	3740	RegSvcs.exe	36
PID 3456 set thread context of 4120	3456	MajorRevision.exe	121
PID 4120 set thread context of 3232	4120	RegSvcs.exe	36
PID 388 set thread context of 3276	388	MajorRevision.exe	129
PID 3276 set thread context of 3232	3276	RegSvcs.exe	36
PID 2424 set thread context of 180	2424	MajorRevision.exe	134
PID 180 set thread context of 3232	180	RegSvcs.exe	36
PID 2088 set thread context of 1840	2088	MajorRevision.exe	139
PID 1840 set thread context of 3232	1840	RegSvcs.exe	36
PID 4604 set thread context of 508	4604	MajorRevision.exe	145
PID 508 set thread context of 3232	508	RegSvcs.exe	36
PID 4916 set thread context of 4220	4916	MajorRevision.exe	150
PID 4220 set thread context of 3232	4220	RegSvcs.exe	36
PID 5104 set thread context of 2020	5104	MajorRevision.exe	155
PID 2020 set thread context of 3232	2020	RegSvcs.exe	36
PID 5068 set thread context of 3640	5068	MajorRevision.exe	160
PID 3640 set thread context of 3232	3640	RegSvcs.exe	36
PID 1856 set thread context of 2328	1856	MajorRevision.exe	165
PID 2328 set thread context of 3232	2328	RegSvcs.exe	36
PID 2328 set thread context of 3232	2328	RegSvcs.exe	36
PID 3864 set thread context of 2512	3864	MajorRevision.exe	170
PID 2512 set thread context of 3232	2512	RegSvcs.exe	36
PID 2512 set thread context of 3232	2512	RegSvcs.exe	36
PID 3560 set thread context of 1692	3560	MajorRevision.exe	178
PID 1692 set thread context of 3232	1692	RegSvcs.exe	36
PID 4488 set thread context of 3272	4488	MajorRevision.exe	183
PID 3272 set thread context of 3232	3272	RegSvcs.exe	36
PID 1780 set thread context of 1364	1780	MajorRevision.exe	188
PID 1364 set thread context of 3232	1364	RegSvcs.exe	36
PID 2352 set thread context of 4768	2352	MajorRevision.exe	193
PID 4768 set thread context of 3232	4768	RegSvcs.exe	36
PID 1192 set thread context of 2516	1192	MajorRevision.exe	199
PID 2516 set thread context of 3232	2516	RegSvcs.exe	36
PID 2572 set thread context of 3452	2572	MajorRevision.exe	206
PID 3452 set thread context of 3232	3452	RegSvcs.exe	36
PID 1640 set thread context of 4396	1640	MajorRevision.exe	212
PID 4396 set thread context of 3232	4396	RegSvcs.exe	36
PID 4168 set thread context of 5048	4168	MajorRevision.exe	217
PID 5048 set thread context of 3232	5048	RegSvcs.exe	36
PID 2928 set thread context of 3880	2928	MajorRevision.exe	222
PID 3880 set thread context of 3232	3880	RegSvcs.exe	36
PID 4392 set thread context of 1520	4392	MajorRevision.exe	228
PID 1520 set thread context of 3232	1520	RegSvcs.exe	36
PID 816 set thread context of 4864	816	MajorRevision.exe	233
PID 4864 set thread context of 3232	4864	RegSvcs.exe	36
PID 1796 set thread context of 920	1796	MajorRevision.exe	238
PID 920 set thread context of 3232	920	RegSvcs.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3560	schtasks.exe
2632	schtasks.exe
3260	schtasks.exe
4320	schtasks.exe
3076	schtasks.exe
2788	schtasks.exe
1708	schtasks.exe
1524	schtasks.exe
1492	schtasks.exe
1824	schtasks.exe
2816	schtasks.exe
4280	schtasks.exe
3120	schtasks.exe
5060	schtasks.exe
4800	schtasks.exe
3876	schtasks.exe
1008	schtasks.exe
2328	schtasks.exe
4644	schtasks.exe
428	schtasks.exe
4356	schtasks.exe
3484	schtasks.exe
1488	schtasks.exe
3076	schtasks.exe
2616	schtasks.exe
3956	schtasks.exe
1516	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2228	NETSTAT.EXE
1816	NETSTAT.EXE
4996	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	MajorRevision.exe
4480	MajorRevision.exe
4480	MajorRevision.exe
1232	RegSvcs.exe
1232	RegSvcs.exe
1232	RegSvcs.exe
1232	RegSvcs.exe
4480	MajorRevision.exe
2716	cmd.exe
2716	cmd.exe
4480	MajorRevision.exe
1276	MajorRevision.exe
4632	RegSvcs.exe
4632	RegSvcs.exe
4632	RegSvcs.exe
4632	RegSvcs.exe
2716	cmd.exe
2716	cmd.exe
1276	MajorRevision.exe
2228	NETSTAT.EXE
2228	NETSTAT.EXE
1276	MajorRevision.exe
2480	MajorRevision.exe
2480	MajorRevision.exe
2480	MajorRevision.exe
2480	MajorRevision.exe
2480	MajorRevision.exe
2324	RegSvcs.exe
2324	RegSvcs.exe
2324	RegSvcs.exe
2324	RegSvcs.exe
2480	MajorRevision.exe
3884	chkdsk.exe
3884	chkdsk.exe
2480	MajorRevision.exe
2168	MajorRevision.exe
2672	RegSvcs.exe
2672	RegSvcs.exe
2672	RegSvcs.exe
2672	RegSvcs.exe
2168	MajorRevision.exe
2716	cmd.exe
2716	cmd.exe
1816	NETSTAT.EXE
1816	NETSTAT.EXE
2168	MajorRevision.exe
5104	MajorRevision.exe
3740	RegSvcs.exe
3740	RegSvcs.exe
3740	RegSvcs.exe
3740	RegSvcs.exe
5104	MajorRevision.exe
2716	cmd.exe
2716	cmd.exe
5104	MajorRevision.exe
4844	mstsc.exe
4844	mstsc.exe
3456	MajorRevision.exe
4120	RegSvcs.exe
4120	RegSvcs.exe
4120	RegSvcs.exe
4120	RegSvcs.exe
3456	MajorRevision.exe
2716	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3232	Explorer.EXE

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1232	RegSvcs.exe
1232	RegSvcs.exe
1232	RegSvcs.exe
4632	RegSvcs.exe
2716	cmd.exe
4632	RegSvcs.exe
4632	RegSvcs.exe
2324	RegSvcs.exe
2716	cmd.exe
2324	RegSvcs.exe
2324	RegSvcs.exe
2672	RegSvcs.exe
2672	RegSvcs.exe
2672	RegSvcs.exe
3740	RegSvcs.exe
3740	RegSvcs.exe
3740	RegSvcs.exe
4120	RegSvcs.exe
4120	RegSvcs.exe
4120	RegSvcs.exe
3276	RegSvcs.exe
3276	RegSvcs.exe
3276	RegSvcs.exe
180	RegSvcs.exe
180	RegSvcs.exe
180	RegSvcs.exe
1840	RegSvcs.exe
1840	RegSvcs.exe
1840	RegSvcs.exe
508	RegSvcs.exe
508	RegSvcs.exe
508	RegSvcs.exe
4220	RegSvcs.exe
4220	RegSvcs.exe
4220	RegSvcs.exe
2020	RegSvcs.exe
2020	RegSvcs.exe
2020	RegSvcs.exe
3640	RegSvcs.exe
3640	RegSvcs.exe
3640	RegSvcs.exe
2328	RegSvcs.exe
2328	RegSvcs.exe
2328	RegSvcs.exe
2328	RegSvcs.exe
2512	RegSvcs.exe
2512	RegSvcs.exe
2512	RegSvcs.exe
2512	RegSvcs.exe
1692	RegSvcs.exe
1692	RegSvcs.exe
1692	RegSvcs.exe
3272	RegSvcs.exe
3272	RegSvcs.exe
3272	RegSvcs.exe
1364	RegSvcs.exe
1364	RegSvcs.exe
1364	RegSvcs.exe
4768	RegSvcs.exe
4768	RegSvcs.exe
4768	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	MajorRevision.exe
Token: SeDebugPrivilege	1232	RegSvcs.exe
Token: SeDebugPrivilege	2716	cmd.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	1276	MajorRevision.exe
Token: SeDebugPrivilege	4632	RegSvcs.exe
Token: SeDebugPrivilege	2228	NETSTAT.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	2480	MajorRevision.exe
Token: SeDebugPrivilege	2324	RegSvcs.exe
Token: SeDebugPrivilege	3884	chkdsk.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	2168	MajorRevision.exe
Token: SeDebugPrivilege	2672	RegSvcs.exe
Token: SeDebugPrivilege	1816	NETSTAT.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	5104	MajorRevision.exe
Token: SeDebugPrivilege	3740	RegSvcs.exe
Token: SeDebugPrivilege	4844	mstsc.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	3456	MajorRevision.exe
Token: SeDebugPrivilege	4120	RegSvcs.exe
Token: SeDebugPrivilege	4996	ipconfig.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	388	MajorRevision.exe
Token: SeDebugPrivilege	3276	RegSvcs.exe
Token: SeDebugPrivilege	5000	help.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	2424	MajorRevision.exe
Token: SeDebugPrivilege	180	RegSvcs.exe
Token: SeDebugPrivilege	1652	mstsc.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	2088	MajorRevision.exe
Token: SeDebugPrivilege	1840	RegSvcs.exe
Token: SeDebugPrivilege	4528	wlanext.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	4604	MajorRevision.exe
Token: SeDebugPrivilege	508	RegSvcs.exe
Token: SeDebugPrivilege	3152	svchost.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	4916	MajorRevision.exe
Token: SeDebugPrivilege	4220	RegSvcs.exe
Token: SeDebugPrivilege	1352	systray.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	5104	MajorRevision.exe
Token: SeDebugPrivilege	2020	RegSvcs.exe
Token: SeDebugPrivilege	4776	msiexec.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	5068	MajorRevision.exe
Token: SeDebugPrivilege	3640	RegSvcs.exe
Token: SeDebugPrivilege	3368	explorer.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1488	4480	MajorRevision.exe	83
PID 4480 wrote to memory of 1488	4480	MajorRevision.exe	83
PID 4480 wrote to memory of 1488	4480	MajorRevision.exe	83
PID 4480 wrote to memory of 1320	4480	MajorRevision.exe	85
PID 4480 wrote to memory of 1320	4480	MajorRevision.exe	85
PID 4480 wrote to memory of 1320	4480	MajorRevision.exe	85
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 4480 wrote to memory of 1232	4480	MajorRevision.exe	86
PID 3232 wrote to memory of 2716	3232	Explorer.EXE	87
PID 3232 wrote to memory of 2716	3232	Explorer.EXE	87
PID 3232 wrote to memory of 2716	3232	Explorer.EXE	87
PID 2716 wrote to memory of 3308	2716	cmd.exe	88
PID 2716 wrote to memory of 3308	2716	cmd.exe	88
PID 2716 wrote to memory of 3308	2716	cmd.exe	88
PID 4480 wrote to memory of 1276	4480	MajorRevision.exe	90
PID 4480 wrote to memory of 1276	4480	MajorRevision.exe	90
PID 4480 wrote to memory of 1276	4480	MajorRevision.exe	90
PID 1276 wrote to memory of 2328	1276	MajorRevision.exe	92
PID 1276 wrote to memory of 2328	1276	MajorRevision.exe	92
PID 1276 wrote to memory of 2328	1276	MajorRevision.exe	92
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 1276 wrote to memory of 4632	1276	MajorRevision.exe	93
PID 3232 wrote to memory of 2228	3232	Explorer.EXE	94
PID 3232 wrote to memory of 2228	3232	Explorer.EXE	94
PID 3232 wrote to memory of 2228	3232	Explorer.EXE	94
PID 1276 wrote to memory of 2480	1276	MajorRevision.exe	95
PID 1276 wrote to memory of 2480	1276	MajorRevision.exe	95
PID 1276 wrote to memory of 2480	1276	MajorRevision.exe	95
PID 2480 wrote to memory of 3076	2480	MajorRevision.exe	96
PID 2480 wrote to memory of 3076	2480	MajorRevision.exe	96
PID 2480 wrote to memory of 3076	2480	MajorRevision.exe	96
PID 2480 wrote to memory of 2300	2480	MajorRevision.exe	98
PID 2480 wrote to memory of 2300	2480	MajorRevision.exe	98
PID 2480 wrote to memory of 2300	2480	MajorRevision.exe	98
PID 2480 wrote to memory of 2512	2480	MajorRevision.exe	99
PID 2480 wrote to memory of 2512	2480	MajorRevision.exe	99
PID 2480 wrote to memory of 2512	2480	MajorRevision.exe	99
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 2480 wrote to memory of 2324	2480	MajorRevision.exe	100
PID 3232 wrote to memory of 3884	3232	Explorer.EXE	103
PID 3232 wrote to memory of 3884	3232	Explorer.EXE	103
PID 3232 wrote to memory of 3884	3232	Explorer.EXE	103
PID 2480 wrote to memory of 2168	2480	MajorRevision.exe	105
PID 2480 wrote to memory of 2168	2480	MajorRevision.exe	105
PID 2480 wrote to memory of 2168	2480	MajorRevision.exe	105
PID 2168 wrote to memory of 3560	2168	MajorRevision.exe	107
PID 2168 wrote to memory of 3560	2168	MajorRevision.exe	107
PID 2168 wrote to memory of 3560	2168	MajorRevision.exe	107
PID 2168 wrote to memory of 2672	2168	MajorRevision.exe	109
PID 2168 wrote to memory of 2672	2168	MajorRevision.exe	109
PID 2168 wrote to memory of 2672	2168	MajorRevision.exe	109
PID 2168 wrote to memory of 2672	2168	MajorRevision.exe	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
  "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A09.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1488
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "{path}"
    3⤵
    PID:1320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
    "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8254.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
      "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94F2.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:3076
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        5⤵
        
        PID:2300
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        5⤵
        
        PID:2512
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA889.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC11.tmp"
        7⤵
        Creates scheduled task(s)
        
        PID:4644
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFB8.tmp"
        8⤵
        Creates scheduled task(s)
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE18B.tmp"
        9⤵
        Creates scheduled task(s)
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        9⤵
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        9⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4C5.tmp"
        10⤵
        Creates scheduled task(s)
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FF.tmp"
        11⤵
        Creates scheduled task(s)
        
        PID:3076
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D0D.tmp"
        12⤵
        Creates scheduled task(s)
        
        PID:2616
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        12⤵
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30B5.tmp"
        13⤵
        Creates scheduled task(s)
        
        PID:3956
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45F2.tmp"
        14⤵
        Creates scheduled task(s)
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp589F.tmp"
        15⤵
        Creates scheduled task(s)
        
        PID:1492
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        15⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B3D.tmp"
        16⤵
        Creates scheduled task(s)
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp973F.tmp"
        17⤵
        Creates scheduled task(s)
        
        PID:3260
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        17⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp"
        18⤵
        Creates scheduled task(s)
        
        PID:1824
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        18⤵
        
        PID:3536
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        18⤵
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        18⤵
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp"
        19⤵
        Creates scheduled task(s)
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB89.tmp"
        20⤵
        Creates scheduled task(s)
        
        PID:2816
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        20⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEB3.tmp"
        21⤵
        Creates scheduled task(s)
        
        PID:1708
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        21⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13B2.tmp"
        22⤵
        Creates scheduled task(s)
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        22⤵
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        22⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp"
        23⤵
        Creates scheduled task(s)
        
        PID:1524
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        23⤵
        Suspicious use of SetThreadContext
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        23⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B8D.tmp"
        24⤵
        Creates scheduled task(s)
        
        PID:4356
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        24⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        24⤵
        Suspicious use of SetThreadContext
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        24⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FC1.tmp"
        25⤵
        Creates scheduled task(s)
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        25⤵
        Suspicious use of SetThreadContext
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        25⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp"
        26⤵
        Creates scheduled task(s)
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        26⤵
        Suspicious use of SetThreadContext
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        26⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp"
        27⤵
        Creates scheduled task(s)
        
        PID:3876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        27⤵
        
        PID:4788
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        27⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BA1.tmp"
        28⤵
        Creates scheduled task(s)
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        28⤵
        Suspicious use of SetThreadContext
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MajorRevision.exe"
        28⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FE5.tmp"
        29⤵
        Creates scheduled task(s)
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "{path}"
        29⤵
        Suspicious use of SetThreadContext
        
        PID:920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3308
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:5072
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:2068
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:3376
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  PID:1852
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:2156
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:920
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:976
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:5052
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:1564
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4988
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:364
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MajorRevision.exe.log

Filesize
224B

MD5
9c4b66f77f12558c48b620ddfb44029d

SHA1
446651db643b943ec37b9b3599655e211a4bc73e

SHA256
42f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708

SHA512
983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13B2.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D0D.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30B5.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B8D.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp45F2.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FC1.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp589F.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A09.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B3D.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FF.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8254.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BA1.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94F2.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp973F.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FE5.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA889.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC11.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC11.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFB8.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD716.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE18B.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB89.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4C5.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEB3.tmp

Filesize
1KB

MD5
0641060766474b3079a27dc22e88c212

SHA1
4668c243b8c493191ddb0789f964178727198fff

SHA256
574176934348aa986fc11a6fe6fa738dd85320596feafa1ee5a6f494b3229293

SHA512
b2a99888964a76998e6ac534064a1431e937b4ff23cac4b4ceb99ad72b50cb17b1e5d584a39e5760522cb6ff1415e8a21af6ea48d63d8ee571755368be5129ff

Download Submit
memory/180-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/180-258-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/180-259-0x00000000019F0000-0x0000000001A05000-memory.dmp

Filesize
84KB

Download
memory/388-239-0x0000000001830000-0x0000000001840000-memory.dmp

Filesize
64KB

Download
memory/1232-140-0x0000000001490000-0x00000000014A5000-memory.dmp

Filesize
84KB

Download
memory/1232-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-139-0x0000000001980000-0x0000000001CCA000-memory.dmp

Filesize
3.3MB

Download
memory/1276-153-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/1652-269-0x0000000002620000-0x000000000296A000-memory.dmp

Filesize
3.3MB

Download
memory/1652-268-0x0000000000360000-0x000000000038F000-memory.dmp

Filesize
188KB

Download
memory/1652-264-0x00000000003B0000-0x00000000004EA000-memory.dmp

Filesize
1.2MB

Download
memory/1652-261-0x00000000003B0000-0x00000000004EA000-memory.dmp

Filesize
1.2MB

Download
memory/1816-192-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/1816-193-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/1816-197-0x0000000000760000-0x000000000078F000-memory.dmp

Filesize
188KB

Download
memory/1816-198-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/1840-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1840-275-0x00000000014A0000-0x00000000014B5000-memory.dmp

Filesize
84KB

Download
memory/1840-274-0x0000000001950000-0x0000000001C9A000-memory.dmp

Filesize
3.3MB

Download
memory/2228-159-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/2228-161-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/2228-164-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2228-165-0x0000000000C60000-0x0000000000FAA000-memory.dmp

Filesize
3.3MB

Download
memory/2324-172-0x0000000001730000-0x0000000001A7A000-memory.dmp

Filesize
3.3MB

Download
memory/2324-173-0x0000000001C20000-0x0000000001C35000-memory.dmp

Filesize
84KB

Download
memory/2324-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-252-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/2480-166-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2672-189-0x0000000001910000-0x0000000001C5A000-memory.dmp

Filesize
3.3MB

Download
memory/2672-190-0x0000000001700000-0x0000000001715000-memory.dmp

Filesize
84KB

Download
memory/2672-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-142-0x0000000000A70000-0x0000000000ACA000-memory.dmp

Filesize
360KB

Download
memory/2716-145-0x0000000000A70000-0x0000000000ACA000-memory.dmp

Filesize
360KB

Download
memory/2716-151-0x0000000000D70000-0x0000000000D9F000-memory.dmp

Filesize
188KB

Download
memory/2716-158-0x0000000000D70000-0x0000000000D9F000-memory.dmp

Filesize
188KB

Download
memory/2716-175-0x0000000001830000-0x00000000018C4000-memory.dmp

Filesize
592KB

Download
memory/2716-152-0x0000000001B90000-0x0000000001EDA000-memory.dmp

Filesize
3.3MB

Download
memory/3232-176-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-191-0x00000000095D0000-0x0000000009711000-memory.dmp

Filesize
1.3MB

Download
memory/3232-141-0x00000000030A0000-0x000000000320A000-memory.dmp

Filesize
1.4MB

Download
memory/3232-157-0x00000000087A0000-0x0000000008874000-memory.dmp

Filesize
848KB

Download
memory/3232-260-0x000000000B490000-0x000000000B581000-memory.dmp

Filesize
964KB

Download
memory/3232-174-0x00000000088C0000-0x0000000008A1E000-memory.dmp

Filesize
1.4MB

Download
memory/3232-241-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-273-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-243-0x000000000BBB0000-0x000000000BD17000-memory.dmp

Filesize
1.4MB

Download
memory/3232-224-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-210-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-194-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-204-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3232-208-0x000000000AF10000-0x000000000B00C000-memory.dmp

Filesize
1008KB

Download
memory/3232-276-0x000000000E240000-0x000000000E3D1000-memory.dmp

Filesize
1.6MB

Download
memory/3232-227-0x000000000B010000-0x000000000B0D3000-memory.dmp

Filesize
780KB

Download
memory/3232-257-0x0000000008F10000-0x0000000008FE4000-memory.dmp

Filesize
848KB

Download
memory/3276-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3276-242-0x0000000000B60000-0x0000000000B75000-memory.dmp

Filesize
84KB

Download
memory/3276-238-0x0000000001020000-0x000000000136A000-memory.dmp

Filesize
3.3MB

Download
memory/3456-215-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/3740-207-0x00000000012A0000-0x00000000012B5000-memory.dmp

Filesize
84KB

Download
memory/3740-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-206-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download
memory/3884-179-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3884-183-0x0000000001370000-0x00000000016BA000-memory.dmp

Filesize
3.3MB

Download
memory/3884-177-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3884-182-0x0000000000C50000-0x0000000000C7F000-memory.dmp

Filesize
188KB

Download
memory/4120-225-0x0000000001870000-0x0000000001BBA000-memory.dmp

Filesize
3.3MB

Download
memory/4120-226-0x0000000001220000-0x0000000001235000-memory.dmp

Filesize
84KB

Download
memory/4120-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-133-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4528-278-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/4528-284-0x0000000000500000-0x0000000000517000-memory.dmp

Filesize
92KB

Download
memory/4632-155-0x0000000001230000-0x000000000157A000-memory.dmp

Filesize
3.3MB

Download
memory/4632-156-0x00000000011C0000-0x00000000011D5000-memory.dmp

Filesize
84KB

Download
memory/4632-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-221-0x0000000002CA0000-0x0000000002FEA000-memory.dmp

Filesize
3.3MB

Download
memory/4844-214-0x0000000000B30000-0x0000000000B5F000-memory.dmp

Filesize
188KB

Download
memory/4844-220-0x0000000000B30000-0x0000000000B5F000-memory.dmp

Filesize
188KB

Download
memory/4844-211-0x00000000003B0000-0x00000000004EA000-memory.dmp

Filesize
1.2MB

Download
memory/4844-213-0x00000000003B0000-0x00000000004EA000-memory.dmp

Filesize
1.2MB

Download
memory/4996-235-0x00000000011F0000-0x000000000153A000-memory.dmp

Filesize
3.3MB

Download
memory/4996-237-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/4996-230-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/4996-228-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/5000-251-0x0000000000FB0000-0x00000000012FA000-memory.dmp

Filesize
3.3MB

Download
memory/5000-245-0x0000000000360000-0x0000000000367000-memory.dmp

Filesize
28KB

Download
memory/5000-247-0x0000000000360000-0x0000000000367000-memory.dmp

Filesize
28KB

Download
memory/5000-250-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/5104-200-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download