blacknet | 61317d21af36bf0640cbb2d71db860ce698a8cbe4cf38b433a4b04441ed1b7fe

Analysis

max time kernel
91s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/06/2023, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
Size

429KB
MD5

23f50c4bff4b1018a5b24dca1e9a525d
SHA1

366ae616becd1beaa884ab87659468921a32b8ab
SHA256

636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a
SHA512

3b8f205a2ae57be0635f470411afeacf4c95f83594d415bd0472f6afa0f50ed1b04e29a65e2db48b7ead45357f5aa602a8427e200b7dbedf4611a2dd062bbb16
SSDEEP

12288:uFwqoSpOurJqsoXlkY70Oti5RmgNmz5sCB:ubowfon0Wijmww

Score

10^/10

blacknet hacked trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

HacKed

http://bankslip.info/david/

Mutex

BN[lnUntCqW-7778345]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 6 IoCs

resource	yara_rule
behavioral1/memory/608-59-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/608-60-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/608-62-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/608-65-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/608-67-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/608-73-0x0000000000E80000-0x0000000000EC0000-memory.dmp	family_blacknet

Executes dropped EXE 64 IoCs

pid	Process
656	cmd.exe
940	cmd.exe
1520	cmd.exe
1288	cmd.exe
1384	cmd.exe
636	cmd.exe
756	cmd.exe
1996	cmd.exe
1336	cmd.exe
1072	cmd.exe
1768	cmd.exe
576	cmd.exe
1588	cmd.exe
820	cmd.exe
1620	cmd.exe
596	cmd.exe
1608	cmd.exe
876	cmd.exe
588	cmd.exe
1748	cmd.exe
964	cmd.exe
2076	cmd.exe
2172	cmd.exe
2212	cmd.exe
2296	cmd.exe
2368	cmd.exe
2464	cmd.exe
2504	cmd.exe
2548	cmd.exe
2604	cmd.exe
2732	cmd.exe
2772	cmd.exe
2832	cmd.exe
2876	cmd.exe
2980	cmd.exe
3012	cmd.exe
1172	cmd.exe
2088	cmd.exe
2288	cmd.exe
2380	cmd.exe
2540	cmd.exe
2592	cmd.exe
2752	cmd.exe
2872	cmd.exe
2996	cmd.exe
2084	cmd.exe
2352	cmd.exe
2588	cmd.exe
1200	cmd.exe
2348	cmd.exe
2480	cmd.exe
1616	cmd.exe
1340	cmd.exe
3136	cmd.exe
3172	cmd.exe
3232	cmd.exe
3264	cmd.exe
3328	cmd.exe
3340	cmd.exe
3404	cmd.exe
3412	cmd.exe
3420	cmd.exe
3552	cmd.exe
3592	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
656	cmd.exe
940	cmd.exe
940	cmd.exe
656	cmd.exe
1384	cmd.exe
636	cmd.exe
636	cmd.exe
1384	cmd.exe
1336	cmd.exe
1072	cmd.exe
1336	cmd.exe
1072	cmd.exe
1588	cmd.exe
820	cmd.exe
820	cmd.exe
1588	cmd.exe
596	cmd.exe
596	cmd.exe
876	cmd.exe
876	cmd.exe
1748	cmd.exe
1748	cmd.exe
2076	cmd.exe
2076	cmd.exe
2212	cmd.exe
2212	cmd.exe
2368	cmd.exe
2368	cmd.exe
2504	cmd.exe
2504	cmd.exe
2604	cmd.exe
2604	cmd.exe
2772	cmd.exe
2772	cmd.exe
2876	cmd.exe
2876	cmd.exe
3012	cmd.exe
3012	cmd.exe
2088	cmd.exe
2088	cmd.exe
1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
2380	cmd.exe
2380	cmd.exe
2592	cmd.exe
2592	cmd.exe
2752	cmd.exe
2752	cmd.exe
940	cmd.exe
656	cmd.exe
2996	cmd.exe
2996	cmd.exe
2352	cmd.exe
2352	cmd.exe
1200	cmd.exe
1200	cmd.exe
2348	cmd.exe
2480	cmd.exe
2348	cmd.exe
636	cmd.exe
2480	cmd.exe
1384	cmd.exe
1340	cmd.exe

Suspicious use of SetThreadContext 36 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 940 set thread context of 1520	940	cmd.exe	32
PID 656 set thread context of 1288	656	cmd.exe	31
PID 636 set thread context of 756	636	cmd.exe	35
PID 1384 set thread context of 1996	1384	cmd.exe	36
PID 1336 set thread context of 1768	1336	cmd.exe	39
PID 1072 set thread context of 576	1072	cmd.exe	40
PID 820 set thread context of 1620	820	cmd.exe	44
PID 1588 set thread context of 1608	1588	cmd.exe	43
PID 596 set thread context of 588	596	cmd.exe	47
PID 876 set thread context of 964	876	cmd.exe	49
PID 1748 set thread context of 2172	1748	cmd.exe	51
PID 2076 set thread context of 2296	2076	cmd.exe	53
PID 2212 set thread context of 2464	2212	cmd.exe	55
PID 2368 set thread context of 2548	2368	cmd.exe	57
PID 2504 set thread context of 2732	2504	cmd.exe	59
PID 2604 set thread context of 2832	2604	cmd.exe	61
PID 2772 set thread context of 2980	2772	cmd.exe	63
PID 2876 set thread context of 1172	2876	cmd.exe	65
PID 3012 set thread context of 2288	3012	cmd.exe	67
PID 2088 set thread context of 2540	2088	cmd.exe	69
PID 2380 set thread context of 2872	2380	cmd.exe	72
PID 2592 set thread context of 2084	2592	cmd.exe	74
PID 2752 set thread context of 2588	2752	cmd.exe	76
PID 2996 set thread context of 1616	2996	cmd.exe	80
PID 2352 set thread context of 3136	2352	cmd.exe	82
PID 1200 set thread context of 3232	1200	cmd.exe	84
PID 2348 set thread context of 3328	2348	cmd.exe	86
PID 2480 set thread context of 3340	2480	cmd.exe	87
PID 1340 set thread context of 3592	1340	cmd.exe	92
PID 3172 set thread context of 3688	3172	cmd.exe	94
PID 3264 set thread context of 3788	3264	cmd.exe	96
PID 3412 set thread context of 3884	3412	cmd.exe	98
PID 3404 set thread context of 3892	3404	cmd.exe	99
PID 3420 set thread context of 3912	3420	cmd.exe	100
PID 3628 set thread context of 3600	3628	cmd.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
608	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious behavior: SetClipboardViewer 33 IoCs

pid	Process
1288	cmd.exe
756	cmd.exe
1996	cmd.exe
1768	cmd.exe
576	cmd.exe
1620	cmd.exe
1608	cmd.exe
588	cmd.exe
964	cmd.exe
2172	cmd.exe
2296	cmd.exe
2464	cmd.exe
2548	cmd.exe
2732	cmd.exe
2832	cmd.exe
2980	cmd.exe
1172	cmd.exe
2288	cmd.exe
2540	cmd.exe
2872	cmd.exe
2084	cmd.exe
2588	cmd.exe
1616	cmd.exe
3136	cmd.exe
3232	cmd.exe
3328	cmd.exe
3340	cmd.exe
3592	cmd.exe
3688	cmd.exe
3788	cmd.exe
3912	cmd.exe
3892	cmd.exe
3884	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	608	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
608	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
608	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 608	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 656	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1204 wrote to memory of 940	1204	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 940 wrote to memory of 1520	940	cmd.exe	32
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 656 wrote to memory of 1288	656	cmd.exe	31
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 940 wrote to memory of 1384	940	cmd.exe	34
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33
PID 656 wrote to memory of 636	656	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
"C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
  "C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:608
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1336
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1588
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3920
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5628
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:4120
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:576
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:820
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        Suspicious use of SetThreadContext
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        19⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        20⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        20⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3964
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Executes dropped EXE
      PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        
        PID:4064
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3404
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3148
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5156
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:5984

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:5852
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  PID:5440

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:5684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
memory/588-231-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/596-270-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/596-200-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/608-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-76-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/608-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/608-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/608-73-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/656-75-0x0000000000840000-0x0000000000878000-memory.dmp

Filesize
224KB

Download
memory/656-81-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/656-79-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/756-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/876-201-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/940-140-0x00000000042C0000-0x0000000004300000-memory.dmp

Filesize
256KB

Download
memory/940-80-0x00000000042C0000-0x0000000004300000-memory.dmp

Filesize
256KB

Download
memory/1200-408-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1204-56-0x0000000000E00000-0x0000000000F1C000-memory.dmp

Filesize
1.1MB

Download
memory/1204-55-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/1204-54-0x0000000001280000-0x00000000012F2000-memory.dmp

Filesize
456KB

Download
memory/1288-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1336-139-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/1384-170-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/1384-106-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/1520-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1520-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-99-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-171-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/1520-108-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1520-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1588-233-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/1588-169-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/1620-202-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/1748-301-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download
memory/2076-232-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2172-253-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2212-266-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download
memory/2296-347-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2296-269-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2464-300-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/2504-299-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/2540-375-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2592-374-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2772-376-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/2772-322-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/2832-326-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2996-398-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/3012-348-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download
memory/3168-589-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/3628-479-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/3820-517-0x00000000041B0000-0x00000000041F0000-memory.dmp

Filesize
256KB

Download
memory/4392-645-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/4476-643-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download