njrat | 7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

Analysis

max time kernel
87s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
Size

93KB
MD5

5323e11bd0c264bf43a4215ba33ce990
SHA1

ba44aa845163c4e7d8a41460dc704dfb6b014fe7
SHA256

7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35
SHA512

673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918
SSDEEP

768:8Y34QdyZnDQMMpAZrGSt6udttXyosahkGJiXxrjEtCdnl2pi1Rz4Rk3VsGdpugS7:UQYZD3rGWNd7dhkhjEwzGi1dDFDugS

Score

10^/10

njrat hackedbymalware evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedByMalware

hakim32.ddns.net:2000

0�#r��-`.1:9386

Mutex

6e260ec5ede46d01445436ce38e3055a

Attributes

reg_key
6e260ec5ede46d01445436ce38e3055a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 64 IoCs

evasion

Windows Service

T1543.003

pid	Process
3688	netsh.exe
4500	netsh.exe
1264	netsh.exe
4992	netsh.exe
3260	netsh.exe
4232	netsh.exe
396	netsh.exe
3540	netsh.exe
4920	netsh.exe
1532	netsh.exe
4716	netsh.exe
4228	netsh.exe
436	netsh.exe
2304	netsh.exe
4144	netsh.exe
5012	netsh.exe
4464	netsh.exe
4768	netsh.exe
2936	netsh.exe
4856	netsh.exe
4612	netsh.exe
1572	netsh.exe
5000	netsh.exe
1648	netsh.exe
3696	netsh.exe
2784	netsh.exe
4488	netsh.exe
1424	netsh.exe
1520	netsh.exe
2148	netsh.exe
1056	netsh.exe
1668	netsh.exe
3800	netsh.exe
4228	netsh.exe
1264	netsh.exe
1492	netsh.exe
2512	netsh.exe
4136	netsh.exe
2504	netsh.exe
4032	netsh.exe
1056	netsh.exe
2984	netsh.exe
4008	netsh.exe
4156	netsh.exe
3776	netsh.exe
3648	netsh.exe
4816	netsh.exe
1064	netsh.exe
2704	netsh.exe
2208	netsh.exe
3544	netsh.exe
3084	netsh.exe
4116	netsh.exe
1268	netsh.exe
4304	netsh.exe
116	netsh.exe
2208	netsh.exe
2660	netsh.exe
2428	netsh.exe
1200	netsh.exe
3424	netsh.exe
324	netsh.exe
3076	netsh.exe
4996	netsh.exe

Checks computer location settings 2 TTPs 31 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	BackgroundTransferHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	BackgroundTransferHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	Conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	BackgroundTransferHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	BackgroundTransferHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe	server.exe

Executes dropped EXE 37 IoCs

pid	Process
5080	server.exe
864	svchost.exe
4224	server.exe
3508	svchost.exe
1872	server.exe
2260	svchost.exe
2516	server.exe
1688	svchost.exe
1432	server.exe
1252	svchost.exe
4380	server.exe
5072	svchost.exe
2608	server.exe
1440	BackgroundTransferHost.exe
3020	BackgroundTransferHost.exe
544	svchost.exe
2624	BackgroundTransferHost.exe
3164	svchost.exe
4012	svchost.exe
5012	Conhost.exe
2352	server.exe
4148	svchost.exe
3820	Conhost.exe
2232	svchost.exe
1028	server.exe
4012	svchost.exe
4972	server.exe
4932	svchost.exe
1704	server.exe
4584	svchost.exe
1072	server.exe
2268	svchost.exe
4904	server.exe
4052	svchost.exe
4804	server.exe
4408	svchost.exe
1072	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 5080	1360	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	84
PID 1360 wrote to memory of 5080	1360	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	84
PID 1360 wrote to memory of 5080	1360	NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe	84
PID 5080 wrote to memory of 3084	5080	server.exe	89
PID 5080 wrote to memory of 3084	5080	server.exe	89
PID 5080 wrote to memory of 3084	5080	server.exe	89
PID 5080 wrote to memory of 2512	5080	server.exe	93
PID 5080 wrote to memory of 2512	5080	server.exe	93
PID 5080 wrote to memory of 2512	5080	server.exe	93
PID 5080 wrote to memory of 1264	5080	server.exe	95
PID 5080 wrote to memory of 1264	5080	server.exe	95
PID 5080 wrote to memory of 1264	5080	server.exe	95
PID 5080 wrote to memory of 864	5080	server.exe	97
PID 5080 wrote to memory of 864	5080	server.exe	97
PID 5080 wrote to memory of 864	5080	server.exe	97
PID 864 wrote to memory of 4224	864	svchost.exe	98
PID 864 wrote to memory of 4224	864	svchost.exe	98
PID 864 wrote to memory of 4224	864	svchost.exe	98
PID 4224 wrote to memory of 1424	4224	server.exe	101
PID 4224 wrote to memory of 1424	4224	server.exe	101
PID 4224 wrote to memory of 1424	4224	server.exe	101
PID 4224 wrote to memory of 1532	4224	server.exe	106
PID 4224 wrote to memory of 1532	4224	server.exe	106
PID 4224 wrote to memory of 1532	4224	server.exe	106
PID 4224 wrote to memory of 4304	4224	server.exe	105
PID 4224 wrote to memory of 4304	4224	server.exe	105
PID 4224 wrote to memory of 4304	4224	server.exe	105
PID 4224 wrote to memory of 3508	4224	server.exe	107
PID 4224 wrote to memory of 3508	4224	server.exe	107
PID 4224 wrote to memory of 3508	4224	server.exe	107
PID 3508 wrote to memory of 1872	3508	svchost.exe	109
PID 3508 wrote to memory of 1872	3508	svchost.exe	109
PID 3508 wrote to memory of 1872	3508	svchost.exe	109
PID 1872 wrote to memory of 396	1872	server.exe	110
PID 1872 wrote to memory of 396	1872	server.exe	110
PID 1872 wrote to memory of 396	1872	server.exe	110
PID 1872 wrote to memory of 2064	1872	server.exe	116
PID 1872 wrote to memory of 2064	1872	server.exe	116
PID 1872 wrote to memory of 2064	1872	server.exe	116
PID 1872 wrote to memory of 5000	1872	server.exe	113
PID 1872 wrote to memory of 5000	1872	server.exe	113
PID 1872 wrote to memory of 5000	1872	server.exe	113
PID 1872 wrote to memory of 2260	1872	server.exe	117
PID 1872 wrote to memory of 2260	1872	server.exe	117
PID 1872 wrote to memory of 2260	1872	server.exe	117
PID 2260 wrote to memory of 2516	2260	svchost.exe	118
PID 2260 wrote to memory of 2516	2260	svchost.exe	118
PID 2260 wrote to memory of 2516	2260	svchost.exe	118
PID 2516 wrote to memory of 4768	2516	server.exe	120
PID 2516 wrote to memory of 4768	2516	server.exe	120
PID 2516 wrote to memory of 4768	2516	server.exe	120
PID 2516 wrote to memory of 3800	2516	server.exe	124
PID 2516 wrote to memory of 3800	2516	server.exe	124
PID 2516 wrote to memory of 3800	2516	server.exe	124
PID 2516 wrote to memory of 2736	2516	server.exe	121
PID 2516 wrote to memory of 2736	2516	server.exe	121
PID 2516 wrote to memory of 2736	2516	server.exe	121
PID 2516 wrote to memory of 1688	2516	server.exe	125
PID 2516 wrote to memory of 1688	2516	server.exe	125
PID 2516 wrote to memory of 1688	2516	server.exe	125
PID 1688 wrote to memory of 1432	1688	svchost.exe	126
PID 1688 wrote to memory of 1432	1688	svchost.exe	126
PID 1688 wrote to memory of 1432	1688	svchost.exe	126
PID 1432 wrote to memory of 4616	1432	server.exe	127

C:\Users\Admin\AppData\Local\Temp\NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5323e11bd0c264bf43a4215ba33ce990_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1360
- C:\ProgramData\server.exe
  "C:\ProgramData\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3084
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2512
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1264
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\ProgramData\server.exe
      "C:\ProgramData\server.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1424
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4304
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:1532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:5000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        7⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:4768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        9⤵
        Modifies Windows Firewall
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        10⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        11⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1252
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        12⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:3688
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        13⤵
        Modifies Windows Firewall
        
        PID:2660
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5072
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        15⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        15⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        
        PID:1440
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        16⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        17⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:544
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        18⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:4992
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        19⤵
        Modifies Windows Firewall
        
        PID:4464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3164
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        20⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:1264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:1056
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        21⤵
        Modifies Windows Firewall
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        
        PID:5012
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        22⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:4716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        23⤵
        Modifies Windows Firewall
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4148
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        24⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:1492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        25⤵
        Modifies Windows Firewall
        
        PID:3076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        25⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2232
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        26⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        27⤵
        Modifies Windows Firewall
        
        PID:4856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        27⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:4012
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        28⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:3540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        29⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4932
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        30⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        Drops startup file
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:2784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        31⤵
        Modifies Windows Firewall
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4584
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        32⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:4488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        33⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        33⤵
        Modifies Windows Firewall
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2268
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        34⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        35⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        35⤵
        Modifies Windows Firewall
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4052
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        36⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        37⤵
        Modifies Windows Firewall
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        37⤵
        Modifies Windows Firewall
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4408
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        38⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:4816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:1064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        39⤵
        Modifies Windows Firewall
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        39⤵
        
        PID:3116
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        40⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:436
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        41⤵
        Modifies Windows Firewall
        
        PID:4232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        41⤵
        Modifies Windows Firewall
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        41⤵
        
        PID:2916
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        42⤵
        
        PID:644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        Modifies Windows Firewall
        
        PID:4156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        43⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        43⤵
        Modifies Windows Firewall
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        43⤵
        
        PID:4748
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        44⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        45⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        45⤵
        Modifies Windows Firewall
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        45⤵
        
        PID:4500
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        46⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:2304
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        47⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        47⤵
        
        PID:2940
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        48⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        49⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        49⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        49⤵
        
        PID:4156
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        50⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        51⤵
        Modifies Windows Firewall
        
        PID:4136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        51⤵
        
        PID:1948
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        52⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:4500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        53⤵
        Modifies Windows Firewall
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        53⤵
        
        PID:2740
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        54⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:4144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        55⤵
        Modifies Windows Firewall
        
        PID:2428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        55⤵
        
        PID:4592
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        56⤵
        
        PID:528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        
        PID:4996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        57⤵
        Modifies Windows Firewall
        
        PID:4920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        57⤵
        Modifies Windows Firewall
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        57⤵
        
        PID:1260
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        58⤵
        
        PID:220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        
        PID:224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        59⤵
        Modifies Windows Firewall
        
        PID:4032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        59⤵
        Modifies Windows Firewall
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        59⤵
        
        PID:3856
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        60⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        Modifies Windows Firewall
        
        PID:4116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        61⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        61⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        61⤵
        
        PID:5104
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        62⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        63⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        63⤵
        Modifies Windows Firewall
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        63⤵
        
        PID:4364
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        64⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        65⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        65⤵
        Modifies Windows Firewall
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        65⤵
        
        PID:1780
        
        C:\ProgramData\server.exe
        
        "C:\ProgramData\server.exe"
        66⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:1268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        67⤵
        Modifies Windows Firewall
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        67⤵
        
        PID:2004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Drops startup file
- Executes dropped EXE
PID:2624

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Drops startup file
- Executes dropped EXE
PID:3020

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\ProgramData\server.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
25B

MD5
020e1f40cd2d126d724be2d923688f73

SHA1
1bc32594bd0b62cc7bdfaab0d6f814dc950f91ef

SHA256
576f1f3e60a33cb21f0456abd3f00db63a8b62b2f457457bff1a6e56c67dfb7c

SHA512
30e1d1f07192e8aa01eae4cba754532f21c5e0c2b66d3bf347643e8f8bf3ba64c620e812d272a18f3fdfe5860f6669f7a90afdb4fcf02317d080ea217c583fd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e260ec5ede46d01445436ce38e3055aWindows Update.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
5323e11bd0c264bf43a4215ba33ce990

SHA1
ba44aa845163c4e7d8a41460dc704dfb6b014fe7

SHA256
7fbff56a5c6c7269baaeeacd2ed70dc625e8e7137b70d284dcd4ba12a17a5f35

SHA512
673baed9352b4ae5e1b5cd0b74dc03103c9f15516431c854a02a60aa87cc8dceff762c05176038513414d2b27712656883bfd759a61fdd9118315fc54518f918

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
399f38fdf7aaf217d0b32896af9f298c

SHA1
db37bfb5bd821b9068587df50d57b38f0287d760

SHA256
c4814a00866e93627816b8987550d30010a862936285a5ceb656f06b6d285b46

SHA512
0130418d2e5bbe23e1a796ea11be0abdd639ae4ab36eae64ab0404984c1b0928a95fb14ee5444b0681e6e0eb23911fe3ac619137ed0241ae60cf1d8c8672d179

Download Submit
memory/544-284-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/544-273-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/544-275-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/864-48-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/864-35-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/864-34-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1252-175-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1252-187-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1252-176-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-2-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download
memory/1360-13-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-1-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-0-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1432-155-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1432-153-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1432-174-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1440-258-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1440-245-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1440-246-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-154-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-142-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-140-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-86-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/1872-106-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-85-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-87-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-108-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-119-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-107-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-120-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-141-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2516-121-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-225-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-224-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-222-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/2608-244-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2624-283-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2624-299-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/2624-285-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3020-260-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3020-257-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3020-274-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3020-259-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/3164-300-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3164-298-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-73-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-84-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/3508-71-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4012-308-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-49-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-50-0x0000000001780000-0x0000000001790000-memory.dmp

Filesize
64KB

Download
memory/4224-72-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-51-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-189-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/4380-188-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-190-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-210-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-209-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-223-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-211-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-33-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-16-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download
memory/5080-15-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/5080-14-0x0000000074800000-0x0000000074DB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads