gh0strat | f6087b5b38afaa2ea8da58c002ae713c100566b8c0545f051bd97e8c0d3e67e5

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.6MB
MD5

3601472d942d7a893e015cbea6a2931b
SHA1

b57bf034b799265bbdc5ca6e269645fc2159c411
SHA256

f6087b5b38afaa2ea8da58c002ae713c100566b8c0545f051bd97e8c0d3e67e5
SHA512

8908796d8da86ec09b4688949ca2089eac111146359d531243294028bb6c97189355b4a440cc329346dd737e563ce48441015d0a0f85d83330bedfc19a9d2dc2
SSDEEP

49152:WCwsbCANnKXferL7Vwe/Gg0P+WhGwTC+D:hws2ANnKXOaeOgmhGwTC4

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Extracted

Family

gh0strat

159.75.0.162

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/608-70-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/608-69-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1496-96-0x0000000002170000-0x0000000002246000-memory.dmp	purplefox_rootkit
behavioral1/memory/996-109-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/996-111-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/996-115-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1496-139-0x0000000002170000-0x0000000002246000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 29 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\7079138.txt	family_gh0strat
behavioral1/memory/608-70-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/608-69-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1496-95-0x0000000002170000-0x0000000002246000-memory.dmp	family_gh0strat
behavioral1/memory/300-100-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/996-109-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/996-111-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/996-115-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1048-120-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1612-132-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1736-137-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1496-140-0x0000000002170000-0x0000000002246000-memory.dmp	family_gh0strat
behavioral1/memory/300-141-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1588-148-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/520-155-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/668-163-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1756-172-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1092-177-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1428-186-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1572-193-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1296-201-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1960-213-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/684-218-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1196-227-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1080-235-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/360-243-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1604-255-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/928-260-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1396-268-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 58 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_tmp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exe

pid	process
1752	R.exe
608	N.exe
592	TXPlatfor.exe
996	TXPlatfor.exe
300	HD_tmp.exe
1048	Xrtnbjp.exe
1612	Xrtnbjp.exe
1736	Xrtnbjp.exe
1588	Xrtnbjp.exe
520	Xrtnbjp.exe
668	Xrtnbjp.exe
1756	Xrtnbjp.exe
1092	Xrtnbjp.exe
1428	Xrtnbjp.exe
1572	Xrtnbjp.exe
1296	Xrtnbjp.exe
1960	Xrtnbjp.exe
684	Xrtnbjp.exe
1196	Xrtnbjp.exe
1080	Xrtnbjp.exe
360	Xrtnbjp.exe
1604	Xrtnbjp.exe
928	Xrtnbjp.exe
1396	Xrtnbjp.exe
1628	Xrtnbjp.exe
524	Xrtnbjp.exe
1708	Xrtnbjp.exe
1916	Xrtnbjp.exe
948	Xrtnbjp.exe
1956	Xrtnbjp.exe
1612	Xrtnbjp.exe
1476	Xrtnbjp.exe
1632	Xrtnbjp.exe
1804	Xrtnbjp.exe
592	Xrtnbjp.exe
1660	Xrtnbjp.exe
1868	Xrtnbjp.exe
1908	Xrtnbjp.exe
1604	Xrtnbjp.exe
1388	Xrtnbjp.exe
1712	Xrtnbjp.exe
884	Xrtnbjp.exe
1060	Xrtnbjp.exe
1196	Xrtnbjp.exe
1564	Xrtnbjp.exe
1548	Xrtnbjp.exe
296	Xrtnbjp.exe
1344	Xrtnbjp.exe
1396	Xrtnbjp.exe
1860	Xrtnbjp.exe
1168	Xrtnbjp.exe
1708	Xrtnbjp.exe
1916	Xrtnbjp.exe
840	Xrtnbjp.exe
1084	Xrtnbjp.exe
1744	Xrtnbjp.exe
1692	Xrtnbjp.exe
1388	Xrtnbjp.exe

Loads dropped DLL 6 IoCs

Processes:

tmp.exeR.exeTXPlatfor.exe

pid process

1496 tmp.exe
1752 R.exe
1496 tmp.exe
592 TXPlatfor.exe
1496 tmp.exe
1496 tmp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/608-67-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/608-70-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/608-69-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
behavioral1/memory/300-97-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1496-95-0x0000000002170000-0x0000000002246000-memory.dmp	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_TMP.EXE	upx
behavioral1/memory/996-109-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/996-111-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/996-115-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1048-120-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1612-127-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1612-132-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1736-137-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/300-141-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1588-148-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/520-155-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/668-163-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1756-167-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1756-172-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1092-177-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1428-186-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1572-193-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1296-201-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1960-206-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1960-213-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/684-218-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1196-227-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1080-235-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/360-243-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1604-248-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1604-255-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/928-260-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
behavioral1/memory/1396-268-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx
C:\Program Files (x86)\Xrtnbjp.exe	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
File opened (read-only)	\??\I:	HD_tmp.exe
File opened (read-only)	\??\K:	HD_tmp.exe
File opened (read-only)	\??\N:	HD_tmp.exe
File opened (read-only)	\??\P:	HD_tmp.exe
File opened (read-only)	\??\Q:	HD_tmp.exe
File opened (read-only)	\??\S:	HD_tmp.exe
File opened (read-only)	\??\B:	HD_tmp.exe
File opened (read-only)	\??\J:	HD_tmp.exe
File opened (read-only)	\??\L:	HD_tmp.exe
File opened (read-only)	\??\T:	HD_tmp.exe
File opened (read-only)	\??\Z:	HD_tmp.exe
File opened (read-only)	\??\H:	HD_tmp.exe
File opened (read-only)	\??\F:	HD_tmp.exe
File opened (read-only)	\??\M:	HD_tmp.exe
File opened (read-only)	\??\R:	HD_tmp.exe
File opened (read-only)	\??\V:	HD_tmp.exe
File opened (read-only)	\??\W:	HD_tmp.exe
File opened (read-only)	\??\Y:	HD_tmp.exe
File opened (read-only)	\??\E:	HD_tmp.exe
File opened (read-only)	\??\O:	HD_tmp.exe
File opened (read-only)	\??\U:	HD_tmp.exe
File opened (read-only)	\??\X:	HD_tmp.exe
File opened (read-only)	\??\G:	HD_tmp.exe

Drops file in System32 directory 3 IoCs

Processes:

R.exeN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\7079138.txt	R.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

Drops file in Program Files directory 2 IoCs

Processes:

HD_tmp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Xrtnbjp.exe	HD_tmp.exe
File created	C:\Program Files (x86)\Xrtnbjp.exe	HD_tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_tmp.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

tmp.exeHD_tmp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exe

pid	process
1496	tmp.exe
300	HD_tmp.exe
1048	Xrtnbjp.exe
300	HD_tmp.exe
1612	Xrtnbjp.exe
1736	Xrtnbjp.exe
1588	Xrtnbjp.exe
520	Xrtnbjp.exe
668	Xrtnbjp.exe
1756	Xrtnbjp.exe
1092	Xrtnbjp.exe
1428	Xrtnbjp.exe
1572	Xrtnbjp.exe
1296	Xrtnbjp.exe
1960	Xrtnbjp.exe
684	Xrtnbjp.exe
1196	Xrtnbjp.exe
1080	Xrtnbjp.exe
360	Xrtnbjp.exe
1604	Xrtnbjp.exe
928	Xrtnbjp.exe
1396	Xrtnbjp.exe
1628	Xrtnbjp.exe
524	Xrtnbjp.exe
1708	Xrtnbjp.exe
1916	Xrtnbjp.exe
948	Xrtnbjp.exe
1956	Xrtnbjp.exe
1612	Xrtnbjp.exe
1476	Xrtnbjp.exe
1632	Xrtnbjp.exe
1804	Xrtnbjp.exe
592	Xrtnbjp.exe
1660	Xrtnbjp.exe
1868	Xrtnbjp.exe
1908	Xrtnbjp.exe
1604	Xrtnbjp.exe
1388	Xrtnbjp.exe
1712	Xrtnbjp.exe
884	Xrtnbjp.exe
1060	Xrtnbjp.exe
1196	Xrtnbjp.exe
1564	Xrtnbjp.exe
1548	Xrtnbjp.exe
296	Xrtnbjp.exe
1344	Xrtnbjp.exe
1396	Xrtnbjp.exe
1860	Xrtnbjp.exe
1168	Xrtnbjp.exe
1708	Xrtnbjp.exe
1916	Xrtnbjp.exe
840	Xrtnbjp.exe
1084	Xrtnbjp.exe
1744	Xrtnbjp.exe
1692	Xrtnbjp.exe
1388	Xrtnbjp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

996 TXPlatfor.exe

pid	process
996	TXPlatfor.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

HD_tmp.exeXrtnbjp.exeXrtnbjp.exe

pid	process
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
300	HD_tmp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1048	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe
1612	Xrtnbjp.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

N.exeHD_tmp.exeXrtnbjp.exeTXPlatfor.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exeXrtnbjp.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	608	N.exe
Token: SeDebugPrivilege	300	HD_tmp.exe
Token: SeDebugPrivilege	1048	Xrtnbjp.exe
Token: SeLoadDriverPrivilege	996	TXPlatfor.exe
Token: SeDebugPrivilege	1612	Xrtnbjp.exe
Token: SeDebugPrivilege	1736	Xrtnbjp.exe
Token: SeDebugPrivilege	1588	Xrtnbjp.exe
Token: SeDebugPrivilege	520	Xrtnbjp.exe
Token: SeDebugPrivilege	668	Xrtnbjp.exe
Token: SeDebugPrivilege	1756	Xrtnbjp.exe
Token: SeDebugPrivilege	1092	Xrtnbjp.exe
Token: SeDebugPrivilege	1428	Xrtnbjp.exe
Token: SeDebugPrivilege	1572	Xrtnbjp.exe
Token: SeDebugPrivilege	1296	Xrtnbjp.exe
Token: SeDebugPrivilege	1960	Xrtnbjp.exe
Token: SeDebugPrivilege	684	Xrtnbjp.exe
Token: SeDebugPrivilege	1196	Xrtnbjp.exe
Token: SeDebugPrivilege	1080	Xrtnbjp.exe
Token: SeDebugPrivilege	360	Xrtnbjp.exe
Token: SeDebugPrivilege	1604	Xrtnbjp.exe
Token: SeDebugPrivilege	928	Xrtnbjp.exe
Token: SeDebugPrivilege	1396	Xrtnbjp.exe
Token: SeDebugPrivilege	1628	Xrtnbjp.exe
Token: 33	996	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	996	TXPlatfor.exe
Token: SeDebugPrivilege	524	Xrtnbjp.exe
Token: SeDebugPrivilege	1708	Xrtnbjp.exe
Token: SeDebugPrivilege	1916	Xrtnbjp.exe
Token: SeDebugPrivilege	948	Xrtnbjp.exe
Token: SeDebugPrivilege	1956	Xrtnbjp.exe
Token: SeDebugPrivilege	1612	Xrtnbjp.exe
Token: SeDebugPrivilege	1476	Xrtnbjp.exe
Token: SeDebugPrivilege	1632	Xrtnbjp.exe
Token: SeDebugPrivilege	1804	Xrtnbjp.exe
Token: SeDebugPrivilege	592	Xrtnbjp.exe
Token: SeDebugPrivilege	1660	Xrtnbjp.exe
Token: SeDebugPrivilege	1868	Xrtnbjp.exe
Token: SeDebugPrivilege	1908	Xrtnbjp.exe
Token: SeDebugPrivilege	1604	Xrtnbjp.exe
Token: SeDebugPrivilege	1388	Xrtnbjp.exe
Token: SeDebugPrivilege	1712	Xrtnbjp.exe
Token: SeDebugPrivilege	884	Xrtnbjp.exe
Token: SeDebugPrivilege	1060	Xrtnbjp.exe
Token: SeDebugPrivilege	1196	Xrtnbjp.exe
Token: SeDebugPrivilege	1564	Xrtnbjp.exe
Token: SeDebugPrivilege	1548	Xrtnbjp.exe
Token: SeDebugPrivilege	296	Xrtnbjp.exe
Token: SeDebugPrivilege	1344	Xrtnbjp.exe
Token: 33	996	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	996	TXPlatfor.exe
Token: SeDebugPrivilege	1396	Xrtnbjp.exe
Token: SeDebugPrivilege	1860	Xrtnbjp.exe
Token: SeDebugPrivilege	1168	Xrtnbjp.exe
Token: SeDebugPrivilege	1708	Xrtnbjp.exe
Token: SeDebugPrivilege	1916	Xrtnbjp.exe
Token: SeDebugPrivilege	840	Xrtnbjp.exe
Token: SeDebugPrivilege	1084	Xrtnbjp.exe
Token: SeDebugPrivilege	1744	Xrtnbjp.exe
Token: SeDebugPrivilege	1692	Xrtnbjp.exe
Token: SeDebugPrivilege	1388	Xrtnbjp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

1496 tmp.exe
1496 tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeN.exeTXPlatfor.exeHD_tmp.exe

description	pid	process	target process
PID 1496 wrote to memory of 1752	1496	tmp.exe	R.exe
PID 1496 wrote to memory of 1752	1496	tmp.exe	R.exe
PID 1496 wrote to memory of 1752	1496	tmp.exe	R.exe
PID 1496 wrote to memory of 1752	1496	tmp.exe	R.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 1496 wrote to memory of 608	1496	tmp.exe	N.exe
PID 608 wrote to memory of 1480	608	N.exe	cmd.exe
PID 608 wrote to memory of 1480	608	N.exe	cmd.exe
PID 608 wrote to memory of 1480	608	N.exe	cmd.exe
PID 608 wrote to memory of 1480	608	N.exe	cmd.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 592 wrote to memory of 996	592	TXPlatfor.exe	TXPlatfor.exe
PID 1496 wrote to memory of 300	1496	tmp.exe	HD_tmp.exe
PID 1496 wrote to memory of 300	1496	tmp.exe	HD_tmp.exe
PID 1496 wrote to memory of 300	1496	tmp.exe	HD_tmp.exe
PID 1496 wrote to memory of 300	1496	tmp.exe	HD_tmp.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 368	300	HD_tmp.exe	wininit.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 380	300	HD_tmp.exe	csrss.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 416	300	HD_tmp.exe	winlogon.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 460	300	HD_tmp.exe	services.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 476	300	HD_tmp.exe	lsass.exe
PID 300 wrote to memory of 484	300	HD_tmp.exe	lsm.exe
PID 300 wrote to memory of 484	300	HD_tmp.exe	lsm.exe
PID 300 wrote to memory of 484	300	HD_tmp.exe	lsm.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:276

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -acsi
3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Program Files (x86)\Xrtnbjp.exe
"C:\Program Files (x86)\Xrtnbjp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8669093827240274621701143510-1888603488-107267905-1305892137-15476068501261194573"
2⤵
PID:1916

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1212

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\R.exe
C:\Users\Admin\AppData\Local\Temp\\R.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752

C:\Users\Admin\AppData\Local\Temp\N.exe
C:\Users\Admin\AppData\Local\Temp\\N.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
4⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Program Files (x86)\Xrtnbjp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_TMP.EXE
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
2.3MB

MD5
f3fcee194f797b21f69703101eeb5baf

SHA1
dfdb48959c2be3b91db7565593f83b54f0bf7d66

SHA256
a7a1f343d710552699247c9dddc60c904e5a8db2fbfc5731f7f6c7a7f0f0cdf2

SHA512
481b607923310ce925d27c13b2608056262417d8f8bc11dbde74a085006e71562d2a62eca972bb063b4e9813da7e4fc621c2c24130241123fab5ddf5dd2c5bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\7079138.txt
Filesize
899KB

MD5
a8e2a51d2beb49ea012b3acfd5b97996

SHA1
8fa5c452fbddb36da4e154a532e6dd1ebbcb0f8d

SHA256
c3424f7cd1e1ca80a7e2fde65fb99f4fbfefd6cc6cde98c659abe354f1423c51

SHA512
27fefd81777f93e4476e9ccd17087e73c064c67548f8917d98a8cdcc4464008120c079d11d5b8f4b9d8a2bbc5cbb26091dbe9fa33d8b6e173284a6d2dccf74ff

Download Submit
\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
memory/300-100-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/300-141-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/300-97-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/300-125-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/360-243-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/520-155-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/608-69-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/608-70-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/608-67-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/668-163-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/684-218-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/928-260-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/996-270-0x000000007EE70000-0x000000007EE7C000-memory.dmp

Filesize
48KB

Download
memory/996-179-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/996-220-0x000000007EF30000-0x000000007EF3C000-memory.dmp

Filesize
48KB

Download
memory/996-109-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/996-111-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/996-228-0x000000007EF20000-0x000000007EF2C000-memory.dmp

Filesize
48KB

Download
memory/996-115-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/996-211-0x000000007EEE0000-0x000000007EEEC000-memory.dmp

Filesize
48KB

Download
memory/996-119-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/996-236-0x000000007EF10000-0x000000007EF1C000-memory.dmp

Filesize
48KB

Download
memory/996-237-0x000000007EEB0000-0x000000007EEBC000-memory.dmp

Filesize
48KB

Download
memory/996-210-0x000000007EF40000-0x000000007EF4C000-memory.dmp

Filesize
48KB

Download
memory/996-121-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/996-244-0x000000007EF00000-0x000000007EF0C000-memory.dmp

Filesize
48KB

Download
memory/996-245-0x000000007EEA0000-0x000000007EEAC000-memory.dmp

Filesize
48KB

Download
memory/996-205-0x000000007EF50000-0x000000007EF5C000-memory.dmp

Filesize
48KB

Download
memory/996-131-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/996-249-0x000000007EE90000-0x000000007EE9C000-memory.dmp

Filesize
48KB

Download
memory/996-253-0x000000007EEF0000-0x000000007EEFC000-memory.dmp

Filesize
48KB

Download
memory/996-138-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/996-202-0x000000007EEF0000-0x000000007EEFC000-memory.dmp

Filesize
48KB

Download
memory/996-147-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/996-261-0x000000007EE80000-0x000000007EE8C000-memory.dmp

Filesize
48KB

Download
memory/996-262-0x000000007EEE0000-0x000000007EEEC000-memory.dmp

Filesize
48KB

Download
memory/996-195-0x000000007EF60000-0x000000007EF6C000-memory.dmp

Filesize
48KB

Download
memory/996-149-0x000000007EF60000-0x000000007EF6C000-memory.dmp

Filesize
48KB

Download
memory/996-269-0x000000007EED0000-0x000000007EEDC000-memory.dmp

Filesize
48KB

Download
memory/996-194-0x000000007EF00000-0x000000007EF0C000-memory.dmp

Filesize
48KB

Download
memory/996-156-0x000000007EF50000-0x000000007EF5C000-memory.dmp

Filesize
48KB

Download
memory/996-187-0x000000007EF10000-0x000000007EF1C000-memory.dmp

Filesize
48KB

Download
memory/996-164-0x000000007EF40000-0x000000007EF4C000-memory.dmp

Filesize
48KB

Download
memory/996-185-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/996-219-0x000000007EED0000-0x000000007EEDC000-memory.dmp

Filesize
48KB

Download
memory/996-178-0x000000007EF20000-0x000000007EF2C000-memory.dmp

Filesize
48KB

Download
memory/996-171-0x000000007EF30000-0x000000007EF3C000-memory.dmp

Filesize
48KB

Download
memory/1048-120-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1080-235-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1092-177-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1196-227-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1296-201-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1396-268-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1428-186-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1480-99-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1480-98-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1496-140-0x0000000002170000-0x0000000002246000-memory.dmp

Filesize
856KB

Download
memory/1496-95-0x0000000002170000-0x0000000002246000-memory.dmp

Filesize
856KB

Download
memory/1496-139-0x0000000002170000-0x0000000002246000-memory.dmp

Filesize
856KB

Download
memory/1496-229-0x000000007EEC0000-0x000000007EECC000-memory.dmp

Filesize
48KB

Download
memory/1496-96-0x0000000002170000-0x0000000002246000-memory.dmp

Filesize
856KB

Download
memory/1496-123-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1572-193-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1588-148-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1604-248-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1604-255-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1612-127-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1612-132-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1736-137-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1756-172-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1756-167-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1960-206-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1960-213-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download