netwire | 3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OInstall.exe
Size

15.2MB
MD5

38be94769e4f59d9a90e551e505c2e07
SHA1

cac71ca2dd32cbe99614870ef01851e0d54bff84
SHA256

3a216b9390f1c46b8e49d43c63211a76e236510ef545eda83ddd8084f605f956
SHA512

47ef669a5be744235e10ba65d7deb8bdd46544cd6dc4532fa4b43fdc3b5d9b6b49febbef8906870b321281c47ca45f9b679e65eabfeffbf6deffc96fa27e24a5
SSDEEP

393216:J8/uxLqG0/kfQslis6SAVDfINRPcji3Zhtnh0:Bv0/kr8s6SA5QUji3ZhtnK

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

qayshaija.ddns.net:1515

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral2/memory/4068-37-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4068-41-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4068-43-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4644-61-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/4644-64-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/3344-75-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/3344-72-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/3764-168-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/3764-170-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks BIOS information in registry 2 TTPs 58 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	install.exe

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	OInstall.exe

Executes dropped EXE 58 IoCs

pid	Process
4444	install.exe
4816	install.exe
2292	install.exe
3476	install.exe
2284	install.exe
1956	install.exe
744	install.exe
4400	install.exe
4656	install.exe
1732	install.exe
3076	install.exe
4652	install.exe
2872	install.exe
4680	install.exe
2824	install.exe
776	install.exe
4260	install.exe
3484	install.exe
3228	install.exe
3320	install.exe
2872	install.exe
3100	install.exe
856	install.exe
1020	install.exe
4340	install.exe
1924	install.exe
4512	install.exe
4272	install.exe
4744	install.exe
520	install.exe
4496	install.exe
4660	install.exe
4172	install.exe
3164	install.exe
4340	install.exe
2984	install.exe
4988	install.exe
640	install.exe
4468	install.exe
4388	install.exe
1892	install.exe
3300	install.exe
396	install.exe
4528	install.exe
3980	install.exe
2008	install.exe
4624	install.exe
4856	install.exe
520	install.exe
940	install.exe
4704	install.exe
3828	install.exe
2468	install.exe
4408	install.exe
3784	install.exe
1892	install.exe
1436	install.exe
3056	install.exe

Suspicious use of SetThreadContext 53 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 4068	4444	install.exe	108
PID 4816 set thread context of 3376	4816	install.exe	113
PID 2292 set thread context of 4644	2292	install.exe	118
PID 3476 set thread context of 3344	3476	install.exe	123
PID 2284 set thread context of 2872	2284	install.exe	128
PID 1956 set thread context of 3544	1956	install.exe	133
PID 744 set thread context of 2472	744	install.exe	139
PID 4400 set thread context of 3536	4400	install.exe	146
PID 4656 set thread context of 4700	4656	install.exe	168
PID 1732 set thread context of 3424	1732	install.exe	159
PID 3076 set thread context of 1600	3076	install.exe	180
PID 4652 set thread context of 3764	4652	install.exe	170
PID 2872 set thread context of 2448	2872	install.exe	177
PID 4680 set thread context of 932	4680	install.exe	182
PID 2824 set thread context of 1616	2824	install.exe	187
PID 776 set thread context of 4444	776	install.exe	192
PID 4260 set thread context of 2440	4260	install.exe	197
PID 3484 set thread context of 1548	3484	install.exe	203
PID 3228 set thread context of 3076	3228	install.exe	208
PID 3320 set thread context of 3648	3320	install.exe	213
PID 2872 set thread context of 3912	2872	install.exe	219
PID 3100 set thread context of 2124	3100	install.exe	223
PID 856 set thread context of 4300	856	install.exe	229
PID 1020 set thread context of 1732	1020	install.exe	235
PID 4340 set thread context of 1920	4340	install.exe	241
PID 1924 set thread context of 3980	1924	install.exe	246
PID 4512 set thread context of 3084	4512	install.exe	251
PID 4272 set thread context of 2648	4272	install.exe	256
PID 4744 set thread context of 1548	4744	install.exe	263
PID 520 set thread context of 1488	520	install.exe	269
PID 4496 set thread context of 1808	4496	install.exe	274
PID 4660 set thread context of 1200	4660	install.exe	279
PID 4172 set thread context of 4068	4172	install.exe	284
PID 3164 set thread context of 4020	3164	install.exe	291
PID 4340 set thread context of 2340	4340	install.exe	296
PID 2984 set thread context of 1908	2984	install.exe	301
PID 4988 set thread context of 1020	4988	install.exe	306
PID 640 set thread context of 3164	640	install.exe	315
PID 4468 set thread context of 2164	4468	install.exe	320
PID 4388 set thread context of 1204	4388	install.exe	326
PID 1892 set thread context of 4556	1892	install.exe	331
PID 3300 set thread context of 4744	3300	install.exe	336
PID 396 set thread context of 372	396	install.exe	341
PID 4528 set thread context of 4752	4528	install.exe	345
PID 3980 set thread context of 4444	3980	install.exe	350
PID 2008 set thread context of 992	2008	install.exe	355
PID 4624 set thread context of 2872	4624	install.exe	360
PID 4856 set thread context of 844	4856	install.exe	365
PID 520 set thread context of 2420	520	install.exe	370
PID 940 set thread context of 3076	940	install.exe	375
PID 4704 set thread context of 1284	4704	install.exe	380
PID 3828 set thread context of 4156	3828	install.exe	385
PID 2468 set thread context of 4504	2468	OInstall.exe	390

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 59 IoCs

pid	pid_target	Process	procid_target
3980	4068	WerFault.exe	108
4520	3376	WerFault.exe	113
4508	4644	WerFault.exe	118
3780	3344	WerFault.exe	123
4284	2872	WerFault.exe	128
4184	3544	WerFault.exe	133
2124	2472	WerFault.exe	139
1788	3536	WerFault.exe	146
928	4700	WerFault.exe	153
2920	3424	WerFault.exe	159
4300	1600	WerFault.exe	165
3636	3764	WerFault.exe	170
2228	2448	WerFault.exe	177
2152	932	WerFault.exe	182
4752	1616	WerFault.exe	187
1936	4444	WerFault.exe	192
4524	2440	WerFault.exe	197
744	1548	WerFault.exe	203
4668	3076	WerFault.exe	208
2292	3648	WerFault.exe	213
2284	3912	WerFault.exe	219
4184	2124	WerFault.exe	223
1808	4300	WerFault.exe	229
4428	1732	WerFault.exe	235
772	1920	WerFault.exe	241
2228	3980	WerFault.exe	246
1436	3084	WerFault.exe	251
4920	2648	WerFault.exe	256
836	1548	WerFault.exe	263
2532	1488	WerFault.exe	269
940	1808	WerFault.exe	274
5100	1200	WerFault.exe	279
5076	4068	WerFault.exe	284
1948	4020	WerFault.exe	291
3648	2340	WerFault.exe	296
4624	1908	WerFault.exe	301
4336	1020	WerFault.exe	306
2828	3164	WerFault.exe	315
2620	2164	WerFault.exe	320
408	1204	WerFault.exe	326
3544	4556	WerFault.exe	331
3432	4744	WerFault.exe	336
3008	372	WerFault.exe	341
3424	4752	WerFault.exe	345
4256	4444	WerFault.exe	350
4172	992	WerFault.exe	355
2464	2872	WerFault.exe	360
1132	844	WerFault.exe	365
3772	2420	WerFault.exe	370
2112	3076	WerFault.exe	375
516	1284	WerFault.exe	380
3432	4156	WerFault.exe	385
2228	4504	WerFault.exe	390
4024	3424	WerFault.exe	397
972	2380	WerFault.exe	402
2824	4236	WerFault.exe	407
3536	4468	WerFault.exe	413
4200	1052	WerFault.exe	418
5044	2008	WerFault.exe	423

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	install.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4444	install.exe
4816	install.exe
4816	install.exe
2292	install.exe
3476	install.exe
2284	install.exe
1956	install.exe
744	install.exe
4400	install.exe
4400	install.exe
4400	install.exe
4656	install.exe
1732	install.exe
1732	install.exe
3076	install.exe
4652	install.exe
2872	install.exe
4680	install.exe
2824	install.exe
776	install.exe
4260	install.exe
4260	install.exe
3484	install.exe
3228	install.exe
3320	install.exe
3320	install.exe
2872	install.exe
3100	install.exe
856	install.exe
856	install.exe
1020	install.exe
4340	install.exe
1924	install.exe
4512	install.exe
4272	install.exe
4744	install.exe
520	install.exe
4496	install.exe
4660	install.exe
4172	install.exe
3164	install.exe
4340	install.exe
2984	install.exe
4988	install.exe
640	install.exe
640	install.exe
640	install.exe
640	install.exe
640	install.exe
4468	install.exe
4388	install.exe
4388	install.exe
1892	install.exe
3300	install.exe
396	install.exe
396	install.exe
4528	install.exe
3980	install.exe
2008	install.exe
4624	install.exe
4856	install.exe
520	install.exe
940	install.exe
4704	install.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4804	OInstall.exe
4804	OInstall.exe
4804	OInstall.exe
4804	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
740	OInstall.exe
740	OInstall.exe
740	OInstall.exe
740	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
2668	OInstall.exe
2668	OInstall.exe
2668	OInstall.exe
4680	install.exe
4680	install.exe
4680	install.exe
1480	OInstall.exe
1480	OInstall.exe
1480	OInstall.exe
1480	OInstall.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
4900	OInstall.exe
4900	OInstall.exe
4900	OInstall.exe
4700	OInstall.exe
4700	OInstall.exe
4700	OInstall.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4804	OInstall.exe
4804	OInstall.exe
4804	OInstall.exe
4804	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4776	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
4256	OInstall.exe
740	OInstall.exe
740	OInstall.exe
740	OInstall.exe
740	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
2884	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
4752	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2148	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
2688	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
3744	OInstall.exe
2668	OInstall.exe
2668	OInstall.exe
2668	OInstall.exe
4680	install.exe
4680	install.exe
4680	install.exe
1480	OInstall.exe
1480	OInstall.exe
1480	OInstall.exe
1480	OInstall.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
4608	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
1708	OInstall.exe
4900	OInstall.exe
4900	OInstall.exe
4900	OInstall.exe
4700	OInstall.exe
4700	OInstall.exe
4700	OInstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4776	4804	OInstall.exe	90
PID 4804 wrote to memory of 4776	4804	OInstall.exe	90
PID 4804 wrote to memory of 4776	4804	OInstall.exe	90
PID 4804 wrote to memory of 4444	4804	OInstall.exe	92
PID 4804 wrote to memory of 4444	4804	OInstall.exe	92
PID 4804 wrote to memory of 4444	4804	OInstall.exe	92
PID 4776 wrote to memory of 4256	4776	OInstall.exe	95
PID 4776 wrote to memory of 4256	4776	OInstall.exe	95
PID 4776 wrote to memory of 4256	4776	OInstall.exe	95
PID 4776 wrote to memory of 4816	4776	OInstall.exe	96
PID 4776 wrote to memory of 4816	4776	OInstall.exe	96
PID 4776 wrote to memory of 4816	4776	OInstall.exe	96
PID 4256 wrote to memory of 740	4256	OInstall.exe	98
PID 4256 wrote to memory of 740	4256	OInstall.exe	98
PID 4256 wrote to memory of 740	4256	OInstall.exe	98
PID 4256 wrote to memory of 2292	4256	OInstall.exe	99
PID 4256 wrote to memory of 2292	4256	OInstall.exe	99
PID 4256 wrote to memory of 2292	4256	OInstall.exe	99
PID 740 wrote to memory of 2884	740	OInstall.exe	102
PID 740 wrote to memory of 2884	740	OInstall.exe	102
PID 740 wrote to memory of 2884	740	OInstall.exe	102
PID 740 wrote to memory of 3476	740	OInstall.exe	103
PID 740 wrote to memory of 3476	740	OInstall.exe	103
PID 740 wrote to memory of 3476	740	OInstall.exe	103
PID 2884 wrote to memory of 4752	2884	OInstall.exe	104
PID 2884 wrote to memory of 4752	2884	OInstall.exe	104
PID 2884 wrote to memory of 4752	2884	OInstall.exe	104
PID 2884 wrote to memory of 2284	2884	OInstall.exe	105
PID 2884 wrote to memory of 2284	2884	OInstall.exe	105
PID 2884 wrote to memory of 2284	2884	OInstall.exe	105
PID 4752 wrote to memory of 2148	4752	OInstall.exe	106
PID 4752 wrote to memory of 2148	4752	OInstall.exe	106
PID 4752 wrote to memory of 2148	4752	OInstall.exe	106
PID 4752 wrote to memory of 1956	4752	OInstall.exe	107
PID 4752 wrote to memory of 1956	4752	OInstall.exe	107
PID 4752 wrote to memory of 1956	4752	OInstall.exe	107
PID 4444 wrote to memory of 4068	4444	install.exe	108
PID 4444 wrote to memory of 4068	4444	install.exe	108
PID 4444 wrote to memory of 4068	4444	install.exe	108
PID 4444 wrote to memory of 4068	4444	install.exe	108
PID 2148 wrote to memory of 2688	2148	OInstall.exe	112
PID 2148 wrote to memory of 2688	2148	OInstall.exe	112
PID 2148 wrote to memory of 2688	2148	OInstall.exe	112
PID 4816 wrote to memory of 3484	4816	install.exe	114
PID 4816 wrote to memory of 3484	4816	install.exe	114
PID 4816 wrote to memory of 3484	4816	install.exe	114
PID 4816 wrote to memory of 3376	4816	install.exe	113
PID 4816 wrote to memory of 3376	4816	install.exe	113
PID 4816 wrote to memory of 3376	4816	install.exe	113
PID 4816 wrote to memory of 3376	4816	install.exe	113
PID 2148 wrote to memory of 744	2148	OInstall.exe	116
PID 2148 wrote to memory of 744	2148	OInstall.exe	116
PID 2148 wrote to memory of 744	2148	OInstall.exe	116
PID 2292 wrote to memory of 4644	2292	install.exe	118
PID 2292 wrote to memory of 4644	2292	install.exe	118
PID 2292 wrote to memory of 4644	2292	install.exe	118
PID 2292 wrote to memory of 4644	2292	install.exe	118
PID 2688 wrote to memory of 3744	2688	OInstall.exe	121
PID 2688 wrote to memory of 3744	2688	OInstall.exe	121
PID 2688 wrote to memory of 3744	2688	OInstall.exe	121
PID 2688 wrote to memory of 4400	2688	OInstall.exe	122
PID 2688 wrote to memory of 4400	2688	OInstall.exe	122
PID 2688 wrote to memory of 4400	2688	OInstall.exe	122
PID 3476 wrote to memory of 3344	3476	install.exe	123

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\OInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\OInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\OInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
      4⤵
      Checks computer location settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        5⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        6⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        7⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        8⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        9⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        10⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        11⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        12⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        13⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        14⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        15⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        16⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        17⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        18⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        19⤵
        Checks computer location settings
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        20⤵
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        21⤵
        Checks computer location settings
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        22⤵
        Checks computer location settings
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        23⤵
        Checks computer location settings
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        24⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        25⤵
        Checks computer location settings
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        26⤵
        Checks computer location settings
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        27⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        28⤵
        Checks computer location settings
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        29⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        30⤵
        Checks computer location settings
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        31⤵
        Checks computer location settings
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        32⤵
        Checks computer location settings
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        33⤵
        Checks computer location settings
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        34⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        35⤵
        Checks computer location settings
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        36⤵
        Checks computer location settings
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        37⤵
        Checks computer location settings
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        38⤵
        Checks computer location settings
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        39⤵
        Checks computer location settings
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        40⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        41⤵
        Checks computer location settings
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        42⤵
        Checks computer location settings
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        43⤵
        Checks computer location settings
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        44⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        45⤵
        Checks computer location settings
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        46⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        47⤵
        Checks computer location settings
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        48⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        49⤵
        Checks computer location settings
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        50⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        51⤵
        Checks computer location settings
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        52⤵
        Checks computer location settings
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        53⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        54⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        55⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        56⤵
        Checks computer location settings
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        57⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        58⤵
        Checks computer location settings
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        59⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        60⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        61⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        62⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        63⤵
        Suspicious use of SetThreadContext
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        64⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        65⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\OInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
        66⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        66⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        65⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        64⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        63⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        62⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        61⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        60⤵
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        61⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 580
        62⤵
        Program crash
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        59⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:3056
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        60⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 584
        61⤵
        Program crash
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        58⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        59⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 584
        60⤵
        Program crash
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        57⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        58⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 580
        59⤵
        Program crash
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        56⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        57⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 584
        58⤵
        Program crash
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        55⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4408
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        56⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 580
        57⤵
        Program crash
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        54⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        55⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 580
        56⤵
        Program crash
        
        PID:2228
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        55⤵
        Checks computer location settings
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        53⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        54⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 588
        55⤵
        Program crash
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        52⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4704
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        53⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 584
        54⤵
        Program crash
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        51⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        52⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 580
        53⤵
        Program crash
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        50⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:520
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        51⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 580
        52⤵
        Program crash
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        49⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        50⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 592
        51⤵
        Program crash
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        48⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        49⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 580
        50⤵
        Program crash
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        47⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        48⤵
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 584
        49⤵
        Program crash
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        46⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3980
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        47⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 584
        48⤵
        Program crash
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        45⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        46⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 580
        47⤵
        Program crash
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        44⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:396
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        45⤵
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        45⤵
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 608
        46⤵
        Program crash
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        43⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3300
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        44⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 580
        45⤵
        Program crash
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        42⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        43⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 580
        44⤵
        Program crash
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        41⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        42⤵
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        42⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 580
        43⤵
        Program crash
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        40⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4468
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        41⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 580
        42⤵
        Program crash
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        39⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:640
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        40⤵
        
        PID:1232
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        40⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        40⤵
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        40⤵
        
        PID:4100
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        40⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 580
        41⤵
        Program crash
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        38⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        39⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 588
        40⤵
        Program crash
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        37⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        38⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 584
        39⤵
        Program crash
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        36⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        37⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 588
        38⤵
        Program crash
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        35⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        36⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 600
        37⤵
        Program crash
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        34⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4172
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        35⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 580
        36⤵
        Program crash
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        33⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        34⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 580
        35⤵
        Program crash
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        32⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4496
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        33⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 580
        34⤵
        Program crash
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        31⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:520
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        32⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 588
        33⤵
        Program crash
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        30⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4744
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        31⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 588
        32⤵
        Program crash
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        29⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4272
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        30⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 580
        31⤵
        Program crash
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        28⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        29⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 580
        30⤵
        Program crash
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        27⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:1924
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        28⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 580
        29⤵
        Program crash
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        26⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        27⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 580
        28⤵
        Program crash
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        25⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        26⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 580
        27⤵
        Program crash
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        24⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        25⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        25⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 580
        26⤵
        Program crash
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        24⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 584
        25⤵
        Program crash
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        23⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 580
        24⤵
        Program crash
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3320
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        22⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 580
        23⤵
        Program crash
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        22⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3228
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        21⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 584
        22⤵
        Program crash
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        20⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 580
        21⤵
        Program crash
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4260
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        19⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 580
        20⤵
        Program crash
        
        PID:4524
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        19⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:776
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        18⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 584
        19⤵
        Program crash
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        17⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 580
        18⤵
        Program crash
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        15⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        16⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 580
        17⤵
        Program crash
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        15⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 584
        16⤵
        Program crash
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4652
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        14⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 580
        15⤵
        Program crash
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:3076
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        13⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 580
        14⤵
        Program crash
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        12⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 580
        13⤵
        Program crash
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        12⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:4656
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        11⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 588
        12⤵
        Program crash
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        10⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 580
        11⤵
        Program crash
        
        PID:1788
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        10⤵
        
        PID:2440
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        10⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:744
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        9⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 580
        10⤵
        Program crash
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1956
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        8⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 588
        9⤵
        Program crash
        
        PID:4184
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: MapViewOfSection
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        7⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 588
        8⤵
        Program crash
        
        PID:4284
    - - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        6⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 580
        7⤵
        Program crash
        
        PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
        5⤵
        
        PID:4644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 580
        6⤵
        Program crash
        
        PID:4508
- - C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 580
        5⤵
        Program crash
        
        PID:4520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
      4⤵
      PID:3484
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe"
    3⤵
    PID:4068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 584
      4⤵
      Program crash
      PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3376 -ip 3376
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4644 -ip 4644
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3344 -ip 3344
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2872 -ip 2872
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3544 -ip 3544
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2472 -ip 2472
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3536 -ip 3536
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4700 -ip 4700
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3424 -ip 3424
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1600 -ip 1600
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3764 -ip 3764
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2448 -ip 2448
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 932 -ip 932
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1616 -ip 1616
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4444 -ip 4444
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2440 -ip 2440
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1548 -ip 1548
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3076 -ip 3076
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3648 -ip 3648
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3912 -ip 3912
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2124 -ip 2124
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4300 -ip 4300
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1732 -ip 1732
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1920 -ip 1920
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3980 -ip 3980
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3084 -ip 3084
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2648 -ip 2648
1⤵
PID:352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1548 -ip 1548
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1488 -ip 1488
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1808 -ip 1808
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1200 -ip 1200
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4068 -ip 4068
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4020 -ip 4020
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2340 -ip 2340
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1908 -ip 1908
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1020 -ip 1020
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3164 -ip 3164
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2164 -ip 2164
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1204 -ip 1204
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4556 -ip 4556
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4744 -ip 4744
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 372 -ip 372
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4752 -ip 4752
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4444 -ip 4444
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2872 -ip 2872
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 844 -ip 844
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2420 -ip 2420
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3076 -ip 3076
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1284 -ip 1284
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4156 -ip 4156
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4504 -ip 4504
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3424 -ip 3424
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2380 -ip 2380
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4236 -ip 4236
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4468 -ip 4468
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1052 -ip 1052
1⤵
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2008 -ip 2008
1⤵
PID:4784

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\install.exe.log

Filesize
520B

MD5
3ca2f9e6a94c24c455ac9431a0bf479b

SHA1
a90309eec691588990609f8f8ad9b935d6f38eb2

SHA256
e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e

SHA512
ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
C:\Users\Admin\AppData\Roaming\apppatch\mtstocom.exe

Filesize
304KB

MD5
6037361243f8c390326debbea5b85ac2

SHA1
654fca850890949bbbd41a7e4c481ab89e10839a

SHA256
b8cc287a79c750e6deb6452c0c22e00972eee2790b4ab2c9f73180e21bc1cea5

SHA512
434dda1e5ed77bc436208ba252c0d32dbc47a4aefbc3536558f35a99b776ca4a7ea2c9b602913a1193945b834e990827885afddf779c5aaaddb3ea81c6fb1929

Download Submit
memory/744-81-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/744-55-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/744-77-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/744-56-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/744-107-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1732-89-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1732-115-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1732-90-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/1732-143-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1956-95-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1956-68-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1956-35-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2284-84-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2284-58-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2284-31-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2292-22-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/2292-33-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2292-34-0x0000000004870000-0x0000000004880000-memory.dmp

Filesize
64KB

Download
memory/2292-21-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2292-62-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2824-149-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2824-150-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2872-124-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2872-123-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2872-152-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2872-151-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3076-126-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3076-100-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3344-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3344-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3476-47-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/3476-26-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3476-46-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3476-73-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3476-27-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/3764-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3764-170-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-43-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4400-67-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4400-118-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-66-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-92-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4400-91-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-16-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4444-15-0x0000000005120000-0x000000000513E000-memory.dmp

Filesize
120KB

Download
memory/4444-23-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-24-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4444-14-0x0000000002A40000-0x0000000002A68000-memory.dmp

Filesize
160KB

Download
memory/4444-36-0x0000000005190000-0x0000000005193000-memory.dmp

Filesize
12KB

Download
memory/4444-13-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4444-40-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-12-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-11-0x0000000000840000-0x0000000000892000-memory.dmp

Filesize
328KB

Download
memory/4644-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4644-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4652-112-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4652-139-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4652-138-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4652-113-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4656-104-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4656-79-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4656-102-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4656-80-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4656-130-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4680-135-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4680-137-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4816-54-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4816-19-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4816-18-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4816-28-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4816-29-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads