cybergate | e124cb8204301b3f7e298604a3dfa04227c5145f4429bca273d6b2527bee85d6

Analysis

max time kernel
22s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77f5c0427c0af031c7fcd4f87683ec73.exe
Size

484KB
MD5

77f5c0427c0af031c7fcd4f87683ec73
SHA1

9ce7a351e285c52c3291b03e13c21af746c60050
SHA256

e124cb8204301b3f7e298604a3dfa04227c5145f4429bca273d6b2527bee85d6
SHA512

99b4a515da3c3db17ce93e5078fd13bd452b4374281440fe8299a3457a97e8c6d4d619a3df8f8135c409a95c9b4eb2aecf9d938ef0882b2c16282b140d8088bd
SSDEEP

12288:J8V0RDQdD9yMRqOm91EkHewncPKdbWUhvGQAHe8fAIwgw4lAAx9BhmroAi:JozdD9rqOUvHhncibWUhuHe8fAIwgw4G

Score

10^/10

cybergate spy persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Spy

82.242.250.193:81

82.242.250.193:82

82.242.250.193:83

Mutex

5D0SS5G3R0D6S6DH0T2S

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Java
install_file
JavaUdapter.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 64 IoCs

pid	Process
2992	WinApp.exe
1740	WinApp.exe
2856	WinApp.exe
2688	WinApp.exe
2812	WinApp.exe
2672	WinApp.exe
2824	WinApp.exe
2900	WinApp.exe
2864	WinApp.exe
1648	WinApp.exe
2904	WinApp.exe
1348	WinApp.exe
1712	WinApp.exe
1536	WinApp.exe
1292	WinApp.exe
2820	WinApp.exe
2444	WinApp.exe
1656	WinApp.exe
2764	WinApp.exe
1384	WinApp.exe
1936	WinApp.exe
2008	WinApp.exe
2012	WinApp.exe
2004	WinApp.exe
1412	WinApp.exe
1952	WinApp.exe
1744	WinApp.exe
1004	WinApp.exe
432	WinApp.exe
1408	WinApp.exe
1948	WinApp.exe
1688	WinApp.exe
2956	WinApp.exe
1140	WinApp.exe
2392	WinApp.exe
2076	WinApp.exe
2436	WinApp.exe
1780	WinApp.exe
2452	WinApp.exe
1612	WinApp.exe
1052	WinApp.exe
2504	WinApp.exe
2148	WinApp.exe
1404	WinApp.exe
2416	WinApp.exe
2692	WinApp.exe
1864	WinApp.exe
2440	WinApp.exe
1600	WinApp.exe
2160	WinApp.exe
2724	WinApp.exe
2696	WinApp.exe
3012	WinApp.exe
2644	WinApp.exe
556	WinApp.exe
1480	WinApp.exe
596	WinApp.exe
1464	WinApp.exe
1528	WinApp.exe
1324	WinApp.exe
2876	WinApp.exe
1636	WinApp.exe
2688	WinApp.exe
2928	WinApp.exe

Loads dropped DLL 14 IoCs

pid	Process
3000	77f5c0427c0af031c7fcd4f87683ec73.exe
3000	77f5c0427c0af031c7fcd4f87683ec73.exe
3000	77f5c0427c0af031c7fcd4f87683ec73.exe
3000	77f5c0427c0af031c7fcd4f87683ec73.exe
2992	WinApp.exe
1740	WinApp.exe
2992	WinApp.exe
2688	WinApp.exe
2856	WinApp.exe
2812	WinApp.exe
2812	WinApp.exe
2900	WinApp.exe
2900	WinApp.exe
2672	WinApp.exe

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	77f5c0427c0af031c7fcd4f87683ec73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinApp = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp.exe"	WinApp.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 set thread context of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 2992 set thread context of 2688	2992	WinApp.exe	156
PID 1740 set thread context of 2856	1740	WinApp.exe	208
PID 2992 set thread context of 2812	2992	WinApp.exe	167
PID 2856 set thread context of 2672	2856	WinApp.exe	71
PID 2688 set thread context of 2900	2688	WinApp.exe	72
PID 2812 set thread context of 2824	2812	WinApp.exe	343
PID 2812 set thread context of 2820	2812	WinApp.exe	169
PID 2900 set thread context of 2864	2900	WinApp.exe	86
PID 2900 set thread context of 1648	2900	WinApp.exe	287
PID 2672 set thread context of 2904	2672	WinApp.exe	226
PID 1648 set thread context of 1348	1648	WinApp.exe	52
PID 2824 set thread context of 1712	2824	WinApp.exe	56
PID 2864 set thread context of 1536	2864	WinApp.exe	90
PID 2904 set thread context of 1292	2904	WinApp.exe	170
PID 1648 set thread context of 2444	1648	WinApp.exe	54
PID 2824 set thread context of 1656	2824	WinApp.exe	57
PID 2864 set thread context of 2764	2864	WinApp.exe	325
PID 2904 set thread context of 1384	2904	WinApp.exe	53
PID 1536 set thread context of 1936	1536	WinApp.exe	47
PID 1348 set thread context of 2012	1348	WinApp.exe	230
PID 2820 set thread context of 2004	2820	WinApp.exe	43
PID 1712 set thread context of 1744	1712	WinApp.exe	49
PID 2820 set thread context of 1952	2820	WinApp.exe	44
PID 2820 set thread context of 2008	2820	WinApp.exe	203
PID 2820 set thread context of 1412	2820	WinApp.exe	133
PID 2764 set thread context of 1004	2764	WinApp.exe	35
PID 1292 set thread context of 432	1292	WinApp.exe	197
PID 1292 set thread context of 1408	1292	WinApp.exe	34
PID 1292 set thread context of 1948	1292	WinApp.exe	179
PID 1292 set thread context of 1688	1292	WinApp.exe	185
PID 2444 set thread context of 2956	2444	WinApp.exe	59
PID 2444 set thread context of 1140	2444	WinApp.exe	39
PID 1744 set thread context of 2392	1744	WinApp.exe	68
PID 2008 set thread context of 2076	2008	WinApp.exe	76
PID 2008 set thread context of 2436	2008	WinApp.exe	66
PID 1384 set thread context of 1780	1384	WinApp.exe	164
PID 1384 set thread context of 2452	1384	WinApp.exe	67
PID 1384 set thread context of 1612	1384	WinApp.exe	157
PID 1384 set thread context of 1052	1384	WinApp.exe	37
PID 1384 set thread context of 2504	1384	WinApp.exe	40
PID 1948 set thread context of 2148	1948	WinApp.exe	350
PID 1004 set thread context of 1404	1004	WinApp.exe	100
PID 2004 set thread context of 2692	2004	WinApp.exe	84
PID 1936 set thread context of 2696	1936	WinApp.exe	83
PID 1140 set thread context of 2724	1140	WinApp.exe	168
PID 2004 set thread context of 1600	2004	WinApp.exe	106
PID 2004 set thread context of 2160	2004	WinApp.exe	232
PID 1936 set thread context of 1864	1936	WinApp.exe	105
PID 1936 set thread context of 2416	1936	WinApp.exe	70
PID 1688 set thread context of 2440	1688	WinApp.exe	306
PID 1656 set thread context of 3012	1656	WinApp.exe	79
PID 1656 set thread context of 2644	1656	WinApp.exe	334
PID 1656 set thread context of 1480	1656	WinApp.exe	64
PID 1656 set thread context of 556	1656	WinApp.exe	58
PID 1656 set thread context of 596	1656	WinApp.exe	236
PID 1412 set thread context of 1324	1412	WinApp.exe	88
PID 1412 set thread context of 1528	1412	WinApp.exe	73
PID 1412 set thread context of 1464	1412	WinApp.exe	376
PID 1952 set thread context of 1636	1952	WinApp.exe	85
PID 1952 set thread context of 2876	1952	WinApp.exe	184
PID 1952 set thread context of 2120	1952	WinApp.exe	214
PID 2012 set thread context of 2928	2012	WinApp.exe	87

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 2992	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	121
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 3000 wrote to memory of 1740	3000	77f5c0427c0af031c7fcd4f87683ec73.exe	28
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 2992 wrote to memory of 2688	2992	WinApp.exe	156
PID 1740 wrote to memory of 2856	1740	WinApp.exe	208
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167
PID 2992 wrote to memory of 2812	2992	WinApp.exe	167

C:\Users\Admin\AppData\Local\Temp\77f5c0427c0af031c7fcd4f87683ec73.exe
"C:\Users\Admin\AppData\Local\Temp\77f5c0427c0af031c7fcd4f87683ec73.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2856
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2992

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2904
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1292
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1384
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:2452
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:760
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1848
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4952
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3116
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4780
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3888
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4716
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1308
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3840
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:2660
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:872
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:564
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2044
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3668
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2968
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1780
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:852
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1844
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        7⤵
        
        PID:5100
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2336
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:560
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3968
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4592
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2032
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1092
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:2896
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2788
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:1540
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:948
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4884

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2864
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:1004
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      PID:1404
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1456
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:1156
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:1388
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3388
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        7⤵
        
        PID:5028
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1536

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:1648
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1348
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2444
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2956
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2864
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:672
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1604
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2756
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:4844
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:5084

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
PID:1408
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:4016
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:388
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:2440
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1536
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:4608
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3608
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3208
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3780
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3508
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:4388
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1748
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2428
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2236

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:596
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1692
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3960
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4668

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
PID:1052
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1256
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3720
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:5068
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3712
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:5092
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1412
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3184
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:580
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3212
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3328
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2812

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:432
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2796
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1904
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3952
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3532
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1308
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3460
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4484
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1468
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4068
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4076
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:5112
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1804
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2872
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4336
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:2904
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3228
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4348
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1192
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3396
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:4024

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1140
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2284
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3944
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1844

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2504
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1748
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2580
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4200
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3660
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4376

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:908
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4852
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2572

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1060
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3552

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2004
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2160
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3168
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2976
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4676
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2656
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3824
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1068
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3604
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4960
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3160
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3904
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:328
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2100
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2008
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3076
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3736
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3600
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1456
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4576
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2012
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3032
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1768
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:1648
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2972
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2824
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3260
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4804
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4088
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3004
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:804
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2096
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4836

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2068
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2824
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3844
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2492
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4280
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2876
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:296
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2092
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2508
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2844
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4824
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2012
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2124
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3676
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1136

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:876
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3972
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:2052
      - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        6⤵
        
        PID:3064
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2812
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3956
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3688
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2244
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1016
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1628
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1644
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4416
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3108
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4692
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3984
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4732
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2076
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2072
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1964
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2704
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3652
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2764
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2684

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:1412
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1464
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2568
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2372
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4876
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:1612
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3612
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1800
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1996
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2040
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3124
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3764
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1488
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3352
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2664
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1492

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1936
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1164
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3152
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2420
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4816
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      PID:2876
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3768
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2556
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:1948
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3700
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:2232
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:1972

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:1612
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2728
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:796
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4172

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1744
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:768
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1568
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3616
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3024
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3056
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2212
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3632
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1980

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2012
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2600
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:1688
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2284
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3404
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:3380
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      PID:2160
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4428
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3744
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4300
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:2856
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3136
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3788
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      Executes dropped EXE
      PID:432
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3756
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3560
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 580
      4⤵
      PID:4616

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1712

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1656
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:556
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3488
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2412
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3572
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:996
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2628
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4496
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3564
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:864
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1760
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:3320
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4108
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:716
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1596
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3516
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1912
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2984
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2220
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3412
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:4364
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:796
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3420
- C:\Users\Admin\AppData\Roaming\WinApp.exe
  C:\Users\Admin\AppData\Roaming\WinApp.exe
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Roaming\WinApp.exe
        
        C:\Users\Admin\AppData\Roaming\WinApp.exe
        5⤵
        
        PID:5056
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:1292
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:1532
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:2776
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4100
- - C:\Users\Admin\AppData\Roaming\WinApp.exe
    C:\Users\Admin\AppData\Roaming\WinApp.exe
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3444
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:3816
  - - C:\Users\Admin\AppData\Roaming\WinApp.exe
      C:\Users\Admin\AppData\Roaming\WinApp.exe
      4⤵
      PID:4148

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2820

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2672

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2900

C:\Users\Admin\AppData\Roaming\WinApp.exe
C:\Users\Admin\AppData\Roaming\WinApp.exe
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
129KB

MD5
b4c2df1547460ea3bf78f86193172d70

SHA1
cb49640c8649a63a1b970ee77f9e7934d6eaa387

SHA256
c44b869728a9f1208a38ac13cec0d7f1fb30f1a39172e1a8393eed2657521d70

SHA512
9b9dcd1ce56a80fb917b41f269c05d8d4db71bf94d8c06753996a8aca776f30e33e52d6f950e3e6a4d5f4df88f713cadeb7d38d237415206addbb2fa1d3e036d

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
256KB

MD5
7d0745f17f2b02641a10637e26a06184

SHA1
081cc8bf4ec2081e87e2e457e7839e2cfb0136b0

SHA256
fbd8432221814b13a47a6cc37550e3fe8190f5ff0da3688f88a91bb86cfa92fe

SHA512
1aae1e04a4e593cd3026e8b9a9de7998ebfb98f07cbe7045ed9e37bb419e9df0b0e6a7b9fd823bc2c050d41577f3feed4447603656d010aca9614d02f6289e41

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
314KB

MD5
880b26440eeb0e604a8bd10b6ade1466

SHA1
a42b55777fe2783ecd7478b726179c9298f5103a

SHA256
c39098dbdcc19015df218e9434b97e61ede1a137ed4d0e556b9026eeb6e82bf7

SHA512
72dd7ffa97845442893defc692fd390f6ba31ce439ffa76bb3a2b34cb8d17d68ee02ba31a9a5e0426501b31bcfd0d52ebe4bd19c376d224968dcad5d51a890c8

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
286KB

MD5
a920e9eec68468e4907b8ee2b50bef66

SHA1
ddd22d6bbe799f3c96de86a4474d7a0a61a0dee8

SHA256
9c9d4b2f489c796c37420fffb714b88b9d0bfcb4692df1dfd3c2e8ecffbdf8a3

SHA512
aaf04c18281ac63bcba744c4fa48024255e55510ec85d43a00e3214feb587d545becb67f5795f43e195a19bac78d190f1e2b84ecaa46f45b72704e42562e1bef

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
21KB

MD5
07d1e839c1d6f474d5e2fb4c24cf4e7b

SHA1
131219f3858bbd896ee3f562b8c71196dd588968

SHA256
a08e2f4d31575fe0aec2f0620630a08aef00484d3d1f659d5b66945a1b88ee85

SHA512
87fb3daa112f7457be442febbd26f0f6d5791bc176b8280b4f1713ea5437a4aa3c44e3980db86d3ab2a1f41f02c74245aa3fa22cd041461dc76f3f731bfa0511

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
217KB

MD5
b339fedec03875e2b24b490092f3c4e5

SHA1
b652be5ac8a5beecdcb8a9b97d2b11780704a746

SHA256
7d80634d8a2ae293de71d3cd2e1ac9648e2bfd6cde9a11be7ad8c6aa6b48d656

SHA512
cda7eac5cc9bc69b068fce3c939164701cd58ee5432063058c8a699471d990e2dc0299759246c5ed270f77457bae53486047fba05ca44fa0dcf701145a84c4d9

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
68KB

MD5
e2ae36fe8c06fd78966e0c1ceb986891

SHA1
fd2431c86ee9d0e621018233a2db28fad6de8e7a

SHA256
834c8854a95f44912fd31a9ce5f311f7a87ebbec01d431aa839a9c01fdfbf4b4

SHA512
27aa8d60a6c83287be4937c729bb379350d5de1fcd004dcd126778877d00f6941e519f7db6b87a386f4c6dd7e1168c40dd191bd9aeeea7fa7e410f2c986e1de2

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
22KB

MD5
35b94bf654f0827622d313512361617f

SHA1
73247bd89024504a8f936cd8e263bb6b01cb208b

SHA256
af0444529cea6f268d32615af6a231e07e13a51b772b62783d2ed7f7842221fa

SHA512
f5e50de9d87fbad68533027afd1c46705af24e0263ec0aff3fd531f7a330adf04045b9ee72a41aeb0fb858a866536691e00f5aa5590c21b664e7c21e57c5ba0f

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
215KB

MD5
97bc121bece2dc82375ad64f2a69ee10

SHA1
85eb6a95c88b3be28fbe9808b721f7603c53869f

SHA256
ba4f60d1d1baffb1e4851f665400adca4f01812d7f6ab920fde0f561b95d4fe6

SHA512
b2622597a40abf4768dffb4db33e05af5b7d0877a6f1e0cecfae2308b63d659b94fb700a032dc85cce1e6d0bd05111917e24ba09ae4de9d554e6f51b863ad06b

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
179KB

MD5
990d307c9c397d4113678e282ba1b72a

SHA1
30733b1d9fe3ca075414333586db96d4f08acbcd

SHA256
f798040a16565993fcd58aed80d5a4d0271bd39911681eba56cf7f4db5e13671

SHA512
e846fd93625fd29ef3e79618c30a02637d3802ec9f72939ff78c1d074356b12a12a623858e94a6fedcdf4501792a3f0116548ef3bca31c3375150bc980d61a44

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
269KB

MD5
4af17955fe0480f27fddc3fb9cefa316

SHA1
1ead57e4a9da44981b8ad39cb3bc68c7bd3d82bd

SHA256
1b43cd46085cd2df3b783b4fefadc4bfd762242ad762af073bbbbb84125107e7

SHA512
09a65465536582d28627188c7b2470aec6341ace76cd15def97b5cbe56ff637763aea68f36441106803e724e9c56656b8dea59094c8405c632be0225f0077a5b

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
192KB

MD5
e641b8f47b699377762f3e77b14c8959

SHA1
9689a04c1b30c793e4070c23301e7ee09482132a

SHA256
934543b1cc663abc0d7467a580adbb5c25aa40db3efb7baaf81018e11005aff9

SHA512
30406bb6dac903a4500193815a380df69fcbcc06e4620dfa02c956c1b5e46aa2fdc480556e97398dcebeb9081f142fd62bfde2925e413835758e83d53db3b4ef

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
181KB

MD5
5300bf5465d00983f3d395555734669f

SHA1
ab6915167db4897d699c049a16c543bf5af25361

SHA256
27511b145f9730bfcb6a5fa5b7392a9151403cedd1cc2d124e1ece4c5b1c68f8

SHA512
18884babd8c5363862c092889be6d736150e3aca61d66a2c025ef1ad93ced1c7d042ba651b9d211893b6fddbf5d70461dc69fbdd2835de2513f735f6e3f6abe2

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
85KB

MD5
3a5793478799a7202a3fa5bf59fb4c53

SHA1
5a55d1a4082cf6581f45fd4431d4e8d08f6ca03b

SHA256
c4513cb1071bde02ac9febf9f4ff327a74053f8391c2eb0a0502c13900a7341e

SHA512
3847607c81e0eff40421d9fc7476f23e2e2666f61238a8e1ca987843966d052bbdfad45a1f88416165851d7a9e201d0278e49546a7b08b297cbe97ae5547b5e4

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
251KB

MD5
c93a477e4bf1dd9f99c1ad5c1f710b98

SHA1
fee662645f81d413f49baee3d796b4554467a11c

SHA256
848469343f0023e2707660ab89aae4a9b64c1ace3f72d302535707d8d036c9f5

SHA512
fcc4ca7cf5d2bc4d06605f5b527b835fe71e1de51313b8794c18b39642db5ba51776a936658fc89877f8510d451cf0759b0d0d56cd4694c271f026df660ab332

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
5KB

MD5
7b3791632b13480aadaf26774ab4d447

SHA1
377c225e1dda6a7669978f2953e8d86c952a16c9

SHA256
e133c8bcea61f29bf90f1cdf814d21ed4f41b44f04d7fb004b48b5f762da1bde

SHA512
5516ef8c95f3cc5c7d9d573adfa89fad164928bad83cb670f911990e51afd49dc2b0d765b7a892f649b5ce480993d6f56707d094ddb1c15d76e0ecb4fc6920f1

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
438KB

MD5
20a63d42ceb59fa31a73936ff51fb5e7

SHA1
14bbfb0047b30b426453735532b9788cb8e33e9f

SHA256
f9f1eeb8482e9cf884d2042a3c8a9601c4dab5dc2e1e1048e2aff88e83279e36

SHA512
33ce122d6b34e6fb2d71376478a0cabb8ab08c65bf346f873cb39c70004e7fe90228fd37c7cb4b0a727e6196ebd8cf0ffe750566c85717ab4dcad4a196653eef

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
351KB

MD5
68bd690ea72ceda62a928cb4caee95b3

SHA1
4c872141e0ea0a987f30b93177cc3925c3881969

SHA256
27d9aade0d35c54aae66cfd20493e6edf4de88d417d84c4738418421a853f2ab

SHA512
511a4b384b223c5c788b0e8ca8aa814089e97f4bcdb456fac756beed11a03903ef3579972ca7a11afb870bb9e7f92ebb8e1ca5ae73686423bada42d2d0741743

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
1KB

MD5
be3db6437137f47d304465877711302e

SHA1
cbad933a55d0669879846fbbd754ff358b15fb27

SHA256
dacd47010425dea0e6e4329567f64a787c769fe71be7c116b8d153a36a599e66

SHA512
2630ae6a3d6d498c11560e398c5ddf3c4d1959236f5d9ae580a8b327e9a4bf657dc9bfec42b6cec76796e3168ad37a5101f136e243177cdc1910e1d3bd775b35

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
16KB

MD5
63c66c0a54b374791286e9cebbeca20b

SHA1
51e9a7191b00676f3d55367ca06b55bed158709e

SHA256
c9b0a24891b843a836ef6cd2ea01a97710c0c4ab3c35863ad4d6970ef786f79c

SHA512
a80d8308b5c58c0dfc60752a8f1cf61af93b0060f920a12e82dfde34c0ed3d2f210e284fbea5e36abd01d07f5627cbfc39c489b6b201dab6dff332bdf4edb97c

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
264KB

MD5
abe0c59de66d4c6a681ba78217239e99

SHA1
21a6cf29dfee259529b3946d5eb1db56b6d56a5c

SHA256
037949f734feacd2ef015b1c870ceb6f5fdf19bf3528def129462c47dc884ade

SHA512
7f708818d26c2e4b02f5def79c1efbcace44c048bcd4f6b89384e4787154460fbb9d05989d821d268b9886e53094239ff8c14b701ef3e99d09ee4c75870a270d

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
262KB

MD5
672a80e70224618fa85ce4a27ca7722f

SHA1
6927f64f8abe05e2b8a3463b1d2bbe20cf024d32

SHA256
4b21d105e8c7f4662c3874141932e94e27edf349d8e952cec16486a9dc286fdc

SHA512
59eded56805d0853f5a3d9064e685649ce09d95030425808923beec984a3aa5fdd19cbfdfaba7154467fe55d1e96c6503ff3620352998890de6261fb316f4cab

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
382KB

MD5
7e1569c691d00fba4da08b903a34b7bb

SHA1
23f6595871de5f982e427b2d9f6791f7b8a5bc2d

SHA256
81dc16dd485223daf689fd696c6e6ae86c8fcb1805a8e89aa22330fd0c09cdab

SHA512
8ae64c039d1266a886a42b2fc3371f00f2c5f15fd93765f0caa460ecb7365be9eda0e476d5bf2404d8659d714c2b88bf2af64be1a7925a65f8dfbcfbbee47746

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
379KB

MD5
21bdb2e95d70a74331232ffba4b07fc4

SHA1
1c24175d694c3c6eb11e5ecc616a021a496b9e43

SHA256
a38dcff19bb23734eae99e95bf91687f6ee4c160eac95c076f752da6bbde283c

SHA512
fe9362aeee24ca1e4e1ee2091e6481505a5409399571287fabcd10de3f6eb54c5817cf9870a1d2b16bed00e1fb35e17f31a4c9aef665e1a9e65cc1c45ac8ebe1

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
336KB

MD5
d4dc4bbf4e13b7f4884dbd3ff21dadb0

SHA1
2ba30228efeb77560bc79f09a5cbcadfa7f605b2

SHA256
9a7b8f5a36df18dd85f19242b389f839d0dd562eddedbc490eede680cbd15d60

SHA512
ed5736648eae5d050bd04b28eac8ba975e2b98745d85715465feb447cad593477819aaf8d8c9acc2f9e70d07ba71fbed76d8356c5e539bc873aa20928d2b941a

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
234KB

MD5
890d47c493f0dfaa83a3f03147181feb

SHA1
a154df1a982a43a2acd3dee8041592f947625230

SHA256
f328190c08dc26d156494bbf5657f6c6788bfce2e39da9c042cc697b58c14789

SHA512
2266f19695c6e30a301dbf5b5999fc8a83e5a72594ce3d7c515ca431ccfdca107251acc009e588ddc252d22ef5b96f037580045696da7c3858659f364a8a0c32

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
167KB

MD5
f54eff7a7d077a1395c5780b30ccfbb9

SHA1
895ebf6f331a7f6dec5cc66d0a85502881233488

SHA256
a428049d043bf255b7078d7ef3982d7e52aff23637f6516dd65928f7bf987e93

SHA512
f3f362f8f6b40fe9796fed31f05e27f3284c4ea6e91dcb956b9cea8690f7bd65072939ec70f1f7b0ec8170ff157e65d7830673dee58560cb159c1f46695ff90a

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
87KB

MD5
4c645629b4edc94a748c619790205c47

SHA1
bfaf460e321d60d7c1c676990f69fed8be67b2e8

SHA256
a3cbba0431fdf4f73ca364a1542df97e1bba88074f3e55408c02e648bc69034f

SHA512
fb6cfa7759b768b8b2dc452577dc280f4833b70abf522c394389d4acc6102e00e455967b5b6c90fe3b073667319dc629698e34c7ffd334cf5f9544a61563b728

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
14KB

MD5
605cb364e914e2fc78dc50cdf8a2282e

SHA1
d5b1571d6d0e0e72c70601e52f60fd62cd73afe3

SHA256
cefd15447892b227995cf4fb000081269049d6efa3a6c39eae6a3e6860c158fe

SHA512
f2a2dbb5e441faa366c64d637ad53afd143fbe7e96b301ab05b86f34bd72471543e1db57330de15a27156a6287b97f6e8ce17fb2cae7b3e75c2d2b4b26439d7b

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
96KB

MD5
ee4aa34e329ef9ee8f54fdb28f95aa24

SHA1
6870a04e24136e63b3fa5a803793016a4b53e077

SHA256
8d444f67b1f4ebf72216e73d256e90e1d3b12755c90141aec5f37452c67c9d1d

SHA512
b8258e791b96b00769ab7fd30e4c7ac97f82a7205e76310f6ed7ec7aee5a76a62499d97eddcd091c44163b08f4e94e5be39c61f53d30201494655badb1bd6ac0

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
126KB

MD5
ac8ab7449c276945cd35947212ee6872

SHA1
b4208eec02c17801c879d1a97f373ed0dfca899a

SHA256
4dc3151002e4dabac6290113681b008a870194257a81df80f66465e90fe7c88e

SHA512
7da713866d72d0e56b59d4957f54c725fff3c60a8c26709813dee3c8b37294d5d0fad1b96d4607f4c47c7eb87840350518baf5cf5d8aee297325b88b7df92a35

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
64KB

MD5
44fc22f2d95f63696476f38c777e7494

SHA1
575f585ffe4bb20e52522dbca645716d8e6c82e8

SHA256
f937958291487fb396c5f872e5f88d6ca556f0bfc72ecf8b412fe33382518bf8

SHA512
9da38baddd2ed0bb4b8c04a0fb05fd7739d968dbe26a211e2342b23cede178d1fda98c8f0e1008eaeffbfbb10cc5381e87728f8d8f6e91c4716084f782dd5041

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
63KB

MD5
7ddac1b3349bc4a44568380cbb7f3775

SHA1
40937841fa0388e388c7228105955ba9e3535990

SHA256
e2c69a0aaba469822aa7a6c26ed8b69bcc20665ce1ca971aa447c898590d0327

SHA512
f19186b6ad7ec014c9a5467db916cb6973d63929be8e76aa6924067edbc52f9c60e69a1d9d5500af84c4fdc5023f96db29732fbebec700f46f5a442984a451d4

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
446KB

MD5
d0a27e29fdef1aef8e0b4d62bf48692e

SHA1
6c6f5b3d9b411a51f339199f88d8fb41d566a971

SHA256
e460933f36c69b6262ce42ed846a75caaf382be879fc0ab91bdb90c4fe7a0d6b

SHA512
64d355cb0af3dbab7b4ca64ccd92bdddb83d856458fa84d1f8a4e9b4bfdf161554e4efe599d03f13a5ca5ef086771919971c394a39e54529e8501a3afd16f3e6

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
77KB

MD5
9025d6598fc08eaf72adc4952e0db9a9

SHA1
20cd43ed4599146e8e3da019b9e93b875aec7625

SHA256
7ebdfa6acc917caeba2b4b9340a94f9cf86638595c1971dc03cd51c4f50513e8

SHA512
9985e4dab1cc225d6fc6fd6f07246e63845a6e6cd76cfdc52d3f051e0ef6548f95920f516651206f3b6a5cb140cb24a2afda0519b2039e3e8fad0f8de0993b9d

Download Submit
C:\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
104KB

MD5
3b05272846ddb5024f56d57b8b166032

SHA1
6ea620af29ec9fa4cfe5a3d4cb8e3e2dfae438ed

SHA256
a28626aea7fa7d271ea3b4d7b330af92e881b6fb013a164975daf959b5304c29

SHA512
a6f7fa10d96db160a76e615328021a99ab1e7c2a0b082a666dd3044515b1cdd0ff158480146dcd87bb405db096427842259347faa73a7c3c459a0df847b6165b

Download Submit
\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
484KB

MD5
77f5c0427c0af031c7fcd4f87683ec73

SHA1
9ce7a351e285c52c3291b03e13c21af746c60050

SHA256
e124cb8204301b3f7e298604a3dfa04227c5145f4429bca273d6b2527bee85d6

SHA512
99b4a515da3c3db17ce93e5078fd13bd452b4374281440fe8299a3457a97e8c6d4d619a3df8f8135c409a95c9b4eb2aecf9d938ef0882b2c16282b140d8088bd

Download Submit
\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
2KB

MD5
b4800f732e220fcfda741c43e31fdf0f

SHA1
c18e6633f50553fde04a0f3b13e688ce5188f4e5

SHA256
ca68e1b5ab1e80755e0d9a680f7f053958ac184c53daabf82be22f730aa7f75d

SHA512
89d63f2392fe566814cf40c5e2bd165d1fea224df83d8b98bc6f7e4f13d9585f791bfc2653e03a04cc766cd2ef80fd3246ec63104cf8b37906458a991a984807

Download Submit
\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
122KB

MD5
7db8c87be1303759e7e8af2b03e7a65f

SHA1
7ba2ac0283b6581d42c7a341a4f9217c109f368e

SHA256
b40cb0a5e10a7bfa7a4579617e267f920b7f0394f43e2478a9a323bfd31479c9

SHA512
1ac9c230fee7d2da1c3f70dba4ccb98b14ba2dcf8982e5935ac7ab5ee585db5894a2f1ac4a7dbe66670ba4f0a25ca08da8980d96ffc2bf2e4a4066c979fabb13

Download Submit
\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
252KB

MD5
1df67d35471abb019f63a01727d0c687

SHA1
bc8e2629d19c9dba9e5dc90d7825d1fa90804a81

SHA256
7e667e45b5fdd94cd14943249fb8a4a12c99d3ceabe0f3af80423f850f909af3

SHA512
7706ed93e2b96ea0d3c7507b18bb009612c117c3a3918167a5c41b80414653e667e79a34cdfaff3dcb37ae7b9aa610f621922e7afaa26a98c2c9d910f99793f6

Download Submit
\Users\Admin\AppData\Roaming\WinApp.exe

Filesize
384KB

MD5
70e9829e2de57206f37344de429ee23d

SHA1
c240a484afa88e1d203993cfa52ee9b2463a80f2

SHA256
35e6e4f1880b2674fae6a7e52ef1fdc2e4067cb8daf5001d0688c04f9e14fdc6

SHA512
3b8b4c04489940a20d936062c190c0692b3ff57a7454c9ebcbe3e8e1e8c55deee695233dcb38920ddc42724b450c9dce6b830181ea3e322fb1dba55d790e6c53

Download Submit
memory/1292-112-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-122-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-121-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/1384-118-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1412-137-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1412-138-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-109-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-88-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-95-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-116-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-123-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-106-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-34-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-30-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-141-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-131-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/1936-132-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-140-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-139-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2004-135-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2004-136-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-130-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-133-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-134-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/2444-115-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-58-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-52-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-77-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-61-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-51-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-35-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/2688-38-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-119-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-120-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2812-41-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-53-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-94-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-113-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-114-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2824-60-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-59-0x0000000000140000-0x0000000000180000-memory.dmp

Filesize
256KB

Download
memory/2824-98-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-64-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-48-0x0000000001E00000-0x0000000001E40000-memory.dmp

Filesize
256KB

Download
memory/2856-50-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-54-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-46-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-73-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2864-70-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-78-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-100-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-75-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-63-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2900-62-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-97-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2904-102-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-37-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-27-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-23-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2992-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2992-21-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-0-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-2-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/3000-1-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-22-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads