Malware Analysis Report

2025-01-22 15:08

Sample ID 240209-bpwbqsdf9t
Target 74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533
SHA256 74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533
Tags
vmprotect orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533

Threat Level: Known bad

The file 74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533 was found to be: Known bad.

Malicious Activity Summary

vmprotect orcus rat spyware stealer

Orcus family

Orcus main payload

Orcus

Orcurs Rat Executable

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

VMProtect packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-09 01:19

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-09 01:19

Reported

2024-02-09 01:22

Platform

win7-20231215-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 3068 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 3068 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 3068 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2624 wrote to memory of 2648 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2816 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2648 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2624 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2624 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2624 wrote to memory of 1772 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe

"C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

"C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0B845649-A0CD-4D56-BE59-D3EC8B930833} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Network

N/A

Files

memory/3068-0-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/3068-1-0x0000000000800000-0x00000000010FA000-memory.dmp

memory/3068-2-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/3068-3-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/3068-4-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/3068-5-0x0000000000440000-0x000000000044E000-memory.dmp

memory/3068-6-0x0000000009BE0000-0x0000000009C3C000-memory.dmp

memory/3068-7-0x0000000000760000-0x0000000000772000-memory.dmp

\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 f34deec7106b194b74cebb7104163e4d
SHA1 f13ecb2c4a8b352c28e326888966f20cbe794f1d
SHA256 ff787697229d4aaa51ae0055712b8cd6c3c14ca48296896654cb86aaf9d233f0
SHA512 3966895bd00f0a9b84cae420f4db6464592fe1129fb9022d88676f5d2dc0ddc4e2e804ccce192bd953c332b67212d5550462bfb02ae93410c008870885e5af45

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 89e0324e0775b97b44469cd83210f00c
SHA1 4777522caf3f7ef4a20921e71d3e4a4c0131e3cd
SHA256 6453c4b8b38db260ffd2008fbfc5aacf3672dd556529776105c4d3295fd9ba5e
SHA512 e1b6c1b1523f620112b78870eec6fcaf49f6eaaae14d445da13416b69e1396f992147f3191a583d08a54969047fe0b324ec763a71aba3812788122124a42af9f

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 c2035584c58a497f5bd703c0f37007f2
SHA1 d8a0c30f6d74d10445b5c03073bd5e84f74b1ccd
SHA256 ec048d33918d20a11557018fa8f45f1c1e92d1cd8877bbad885d9f34a97fae55
SHA512 7f143383c5e3db7ad41468b33544b6b1ce1f829c5144fd76f6530b49b21c439470672cadd18a2def8d46deadc58ddac5ac8a440bd4587b3f7cc4e4031e8c15d1

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 3baa1fc8aca8abc8dbdb6c2dd4a64cd9
SHA1 94b01ac172843c09dd18db3d473bf23826e48417
SHA256 994ce3ba953460ca54f7a898efea8c972f9314eb0487c42582df48c8060904f7
SHA512 2e38db2ef2d6ea9e7637df9c28a3cb89bcd67f2d37f89646d2131b86d01d8f0df733d93d9112095f84e36023eb49a472c22678fad11e454e57b7df30d182970f

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3068-18-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2816-20-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2816-19-0x0000000000CA0000-0x000000000159A000-memory.dmp

memory/2816-21-0x0000000009B20000-0x0000000009B60000-memory.dmp

memory/2816-22-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2816-23-0x0000000000500000-0x0000000000512000-memory.dmp

memory/2816-24-0x0000000002AB0000-0x0000000002AFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 ca2d37d4efa6d8d7582ec78304a1fb9f
SHA1 0814dbb8dc429b9f87b3579d342d09d9e6cf96e4
SHA256 74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533
SHA512 3b77912616b8fe3afddd05eb3fc883e0dbf277d48dd05b8dcda41e2b8c34a198df1d0abbb33a0f955e2b714be4f87e9cc7e04ca5eba5f3ee77f2402c4c68e31c

memory/3048-26-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/2648-27-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/3048-28-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/3048-30-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/3048-32-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/3048-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3048-35-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/2816-37-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/3048-38-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/3048-40-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/3048-41-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2648-42-0x0000000009CB0000-0x0000000009CF0000-memory.dmp

memory/2648-43-0x0000000009CB0000-0x0000000009CF0000-memory.dmp

memory/2648-44-0x0000000009CB0000-0x0000000009CF0000-memory.dmp

memory/2648-45-0x0000000009CB0000-0x0000000009CF0000-memory.dmp

memory/3048-52-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2648-57-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2608-61-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2608-62-0x00000000747E0000-0x0000000074ECE000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 132a86365b2c802f76a58a174fffc784
SHA1 93a4a60add498f8b0e409b674f323b81f4854055
SHA256 1bc2c930d7b4bc8b075688397c7fd7080dfaa711c6428dc7fe7b917ce9bab562
SHA512 a205a6d6b291be964d64fe0fbe74e9fc957da54adf842d166dc1e40a98844fb6be94608532da2d0ca4b4a914ca447a6403b119d02d6ab2e69aae074fd66d5f6a

memory/1772-65-0x0000000000CA0000-0x000000000159A000-memory.dmp

memory/1772-64-0x0000000074820000-0x0000000074F0E000-memory.dmp

memory/1772-66-0x0000000009C00000-0x0000000009C40000-memory.dmp

memory/2232-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1772-77-0x0000000074820000-0x0000000074F0E000-memory.dmp

memory/2232-78-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/2232-80-0x0000000000400000-0x0000000000CFA000-memory.dmp

memory/1432-82-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/1432-83-0x0000000001390000-0x0000000001C8A000-memory.dmp

memory/1432-84-0x0000000009B50000-0x0000000009B90000-memory.dmp

memory/1432-85-0x0000000000380000-0x0000000000390000-memory.dmp

memory/1432-86-0x0000000000380000-0x0000000000390000-memory.dmp

memory/1432-87-0x0000000000380000-0x0000000000390000-memory.dmp

memory/2240-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1432-96-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2240-100-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/2240-101-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-09 01:19

Reported

2024-02-09 01:22

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1880 set thread context of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3004 set thread context of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1812 set thread context of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5024 set thread context of 2936 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4584 set thread context of 4164 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2288 set thread context of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2220 set thread context of 5084 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2388 set thread context of 3156 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3660 set thread context of 4880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2368 set thread context of 2456 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3120 set thread context of 396 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1328 set thread context of 2884 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4976 set thread context of 2316 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3528 set thread context of 1956 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1220 set thread context of 3472 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4116 set thread context of 2060 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4352 set thread context of 3676 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1616 set thread context of 1704 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3868 set thread context of 312 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 4792 set thread context of 2884 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4028 set thread context of 968 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1168 set thread context of 1604 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2552 set thread context of 1512 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4536 set thread context of 4244 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3660 set thread context of 724 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4660 set thread context of 2656 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1292 set thread context of 4452 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1600 set thread context of 4460 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 set thread context of 1044 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3192 set thread context of 2448 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 452 set thread context of 2596 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3996 set thread context of 2128 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 5004 set thread context of 660 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4748 set thread context of 312 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 416 set thread context of 2116 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 4516 set thread context of 4576 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4016 set thread context of 5012 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 808 set thread context of 4396 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2236 set thread context of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 388 set thread context of 376 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 4376 set thread context of 1968 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3460 set thread context of 4332 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 5024 set thread context of 1236 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3144 set thread context of 2464 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 624 set thread context of 3196 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 676 set thread context of 4244 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3512 set thread context of 2388 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3660 set thread context of 1672 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2656 set thread context of 768 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4456 set thread context of 4936 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1052 set thread context of 400 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 1140 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe
PID 2352 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2352 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 2352 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2352 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1880 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1880 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3004 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 3004 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1812 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe

"C:\Users\Admin\AppData\Local\Temp\74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

"C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1140-0-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1140-1-0x0000000000030000-0x000000000092A000-memory.dmp

memory/1140-2-0x0000000009900000-0x0000000009910000-memory.dmp

memory/1140-3-0x0000000009900000-0x0000000009910000-memory.dmp

memory/1140-4-0x0000000002BD0000-0x0000000002BDE000-memory.dmp

memory/1140-5-0x0000000009D60000-0x0000000009DBC000-memory.dmp

memory/1140-6-0x000000000A450000-0x000000000A9F4000-memory.dmp

memory/1140-7-0x0000000009F40000-0x0000000009FD2000-memory.dmp

memory/1140-8-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1140-9-0x0000000005340000-0x0000000005352000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 92d8a059c2f0751fd5e4b1501ff5ca2d
SHA1 0e875b582fc65a87b2867513fa71a845bf21956a
SHA256 126c0a9e1212dbd687a87952167cfea788f7f6e323e5623ee565e688f10ededb
SHA512 f8e55806433187380e4b165c5ef2cfa9f01c84d0438eabf09a8014397f700f38a94b24c58ab394f35e077338807941dbd22a9e3b3832d9a8800a6afe4d8a8d39

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 747d3e2cadc6fe0d163848fbb6a52e3c
SHA1 ad962e30b615024e6b7a4ede0c6fc5f8febbf7fe
SHA256 39629e4f93e42455313a8a25f9613ebb464b1fa3640d5b1a166221ada4a5fe72
SHA512 dace36dd22472edf335aba940b951f3c5b3d8ef54d4dbdbb78ee74062cabd317b91a3ef1d06deacf91e2b1742ad755a0c9197b0a9b01ade762c910f93fcc3f0c

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 851509e67bc230d387d3e6826c47c49d
SHA1 c0025d6f9a80f0cc76e9d35a2ff40972e23ff002
SHA256 f4ede5f12ddc36a3b38a598cb40290a2e7667f1974db0eb2a71c40823dd725d2
SHA512 de8002f44379450ac92f4f3d7cac652c6db373c714f5e2d5849f731fc89a580c27cb1c9bf982c86829af928ea0eee5974f04e4ee6c1bedc82342a4c81e4643d6

memory/2352-25-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1140-26-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2352-27-0x0000000009BD0000-0x0000000009BE0000-memory.dmp

memory/2352-28-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/2352-29-0x00000000058A0000-0x00000000058B2000-memory.dmp

memory/2352-30-0x0000000005A40000-0x0000000005A8E000-memory.dmp

memory/2352-32-0x0000000006640000-0x00000000066DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 1046e0aed63812b264ba92a7eeed9d33
SHA1 a514c0b8460c337e156cbd2328f537a70c3f747c
SHA256 d10eda7762f8d8a48d26b6b7e91d00b777552aa343a3d33d1fb7f27a65f568b1
SHA512 da913a091b5e9aaf815f47a8618a1c12d875fac20636e36644372f31f2c7c1a5baf1b44f668f6ad2d873c3e88a0641ba0321e5897afd9ba340959881f8f9a0a7

memory/1880-34-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2352-36-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3080-37-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1880-38-0x0000000002F30000-0x0000000002F40000-memory.dmp

memory/1880-41-0x0000000002F30000-0x0000000002F40000-memory.dmp

memory/1880-40-0x0000000002F30000-0x0000000002F40000-memory.dmp

memory/1880-39-0x0000000002F30000-0x0000000002F40000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 fbe2c01f2dfb74d0b839c4fc54cf15fa
SHA1 c9c5b3034d774c29716650ae6e3cf8d12516d29a
SHA256 6d65bcd041200d811de852856e2761758b220114e934e269b905a38378487645
SHA512 38639669d28aa349a3f17758e9d20b2439c505a8575394f722cae38f2bcbdc15b3b142e9261e1767653d3d2878de7f9c603409cce7301ea72035b04fd463ff5e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uploadstrack.exe.log

MD5 6a669672404c7fa39949936a483cf174
SHA1 25efdb55d16b9629db7d934e960a73d31a24f7c9
SHA256 937f98842e6d7049d8fcbb88ee2c4a324865f528e1fd9ba49de094010801b280
SHA512 ff48308ab82705bbe80139057ac652bf87c5fd7d129b0b57754ce50c833dda1d95743c6dd99d4560d3085cb87b571e7a6657dfde83c3908770ffcbcd551acefe

memory/3004-44-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2880-46-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1880-47-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3004-50-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/3004-49-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/3004-51-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/3004-48-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/3004-52-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 8aff32097215d2a76da985c6bc4b2233
SHA1 d8dae9f3d7f993e278d4f54f5720afb2a575efaa
SHA256 dce722372ec54c6b4bc102ba6fd1d65c5242d5ed816a167e9db3d6dc64b51507
SHA512 5f7d71b6f5e5d8a16bb73a648162daa4b83bf1bfebbc0a283bfd6fd2c159732225f8d95faa94d63252fca154d677672ca6c11434e9203060ed0e105de245f965

memory/1812-54-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2880-56-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2924-58-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3004-59-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1812-60-0x0000000007EF0000-0x0000000007F00000-memory.dmp

memory/1812-61-0x0000000007EF0000-0x0000000007F00000-memory.dmp

memory/3080-62-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1812-63-0x0000000005D10000-0x0000000005D22000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 49873a923ac0b0dfa608e0d84ae10f78
SHA1 3a092694dd3e415b169eaf8c58639325447b2693
SHA256 fba75275725b298c55923ee2d20259b4babc639ca40009cc4d3a9a16fbafd593
SHA512 540c5ff2ab4ad7488e879b5d6a15487c2945b7e9e7462d62e16f544f8edf44c31ccb38e547ca08bbf05ca456cd83085e03c0cffff3c186453ce0fae3372049f0

memory/5024-66-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1812-68-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/868-67-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/868-70-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/5024-73-0x00000000075B0000-0x00000000075C0000-memory.dmp

memory/5024-72-0x00000000075B0000-0x00000000075C0000-memory.dmp

memory/5024-74-0x00000000075B0000-0x00000000075C0000-memory.dmp

memory/5024-71-0x00000000075B0000-0x00000000075C0000-memory.dmp

memory/5024-75-0x00000000053A0000-0x00000000053B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 a423f0ad7afb103cb9a6442e44012764
SHA1 cd31ee47ec32559b73ce18e8d3764bdd0c348ce3
SHA256 29641e2cd3208e2358e58c8882ddc66eb0d1212354e4efc1fbe401ff051717b5
SHA512 bb4cfecb9d281bedc3875d1f2f9080cdea03f00d40e885d5c8d2f058694561bdaccfae7b5a71f2f28a3c344e185ed938910a1db8b03a7767925ad31f76344f35

memory/4584-77-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

MD5 24cfd42a8de70b38ed70e1f8cf4eda1c
SHA1 e447168fd38da9175084b36a06c3e9bbde99064c
SHA256 93b740416114e346878801c73e8a8670ff1390d3fa009424b88fafe614a3c5cd
SHA512 5c2daf5328ba99d750e9d0362e84f3a79b7fc8395aa8aa2bc1a01b266583fe1f8352bf0619f985aa72223412d14afa054537739b4941610a1d0f96e7fee2a875

memory/2936-80-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/5024-81-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2924-82-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/4584-83-0x0000000007600000-0x0000000007610000-memory.dmp

memory/4584-84-0x0000000005280000-0x0000000005292000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 96f205711783658772af45eebbca87de
SHA1 966d2a60fc4f0cb084be48f8f6618d2d3eb7e178
SHA256 dd0dab175825725bd0cc5668403840314bb735abb68af3a99858a61bc6b44f9c
SHA512 c2c018a5c2038710965cf50778a15bcd5d73206196d72e65496d45bef0a15d77517103d2aac46d88eeb3d4b6382f4dff73969b3241fa8682c0df9104e3fc6e80

memory/2288-86-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/4164-88-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2936-89-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/4584-90-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2288-94-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/2288-93-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/2288-92-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/2288-91-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/2288-95-0x0000000005BE0000-0x0000000005BF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 ed1eab2d1aa12de729ecc57f39e0f326
SHA1 8e788a8df7cc1bdc36d215fd82816a1a16aac632
SHA256 787585e4ae346b159413fe3ae8c6fc76a6327e6fee6b2325743ccce4d8965ffc
SHA512 093f33707423f38c263d5e06afbd1088681c2161940eb690fcd526a0813713a544c298db59f60fbd26d4cf244cc9c2a473369c1140a4f09383ee500ae65c8f9a

memory/4216-106-0x0000000000400000-0x0000000000400000-memory.dmp

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 55d6a97fad135b555ab81706e53a9bd8
SHA1 b47558d50a4e28ed391c58b50994705b0fdeb5fd
SHA256 ac06f64eab1fab05165bc806f0c95ef7d3b5dcc2a252753d2e879619cfa902a9
SHA512 4ab16bbb5453a0e6796b846d4648ef6aeb59d4a3c21f6aa590fd924f20c704b089bf4c69172d9266b1efb5bb9aadd62e11a5657fbb266966720a19e462ac483f

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 e201f8c32070d3b9dc2cc4b6a3f97432
SHA1 b35252842d0a3cce8a8485e10346db6f7223564c
SHA256 d8b3fca0a7961abe5b568153fa3e80e80137d7da52bdf335844778cc7fcc1634
SHA512 6b0efe1012add5e6fb39864b50f4a61049d277bda31a78a56382e132a436e02cf2376fec4a42656830b1baa2e3bbb62215b94e50cb9af557ce77ba64ddbbd35f

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 a638b136ded01122ff5b01c0ef2a4f13
SHA1 7799d1b8a88d95dfe9e67a54155d168c9afdf886
SHA256 aa10c5b0e95d4893aeff6279daf294f77c9f85f8c840a1646bac40fefb2522c4
SHA512 d3a0e0f6cdf13efd86069ce4687d88fcae66cf3269decbffe0c511978a4276e5202494a8f9283101cb5fefc1be32335a251e41acaf58a2977d1a769b009f4bdf

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 ca2d37d4efa6d8d7582ec78304a1fb9f
SHA1 0814dbb8dc429b9f87b3579d342d09d9e6cf96e4
SHA256 74aa8c6060f703ee770fd9b036fab75f82a3f593df9a639f6b70c4518b2be533
SHA512 3b77912616b8fe3afddd05eb3fc883e0dbf277d48dd05b8dcda41e2b8c34a198df1d0abbb33a0f955e2b714be4f87e9cc7e04ca5eba5f3ee77f2402c4c68e31c

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 ac7701e480e499fce530d20456683490
SHA1 44532f9fccf3f78ce6a62ada9de9a4628f429d36
SHA256 7254d52d7be4e689c8030829a3987a6319be7f958bb1b675c90125878ceb8514
SHA512 8446283c8b6c5ca150b450727d9d113cef11c228ff0f2e5d814e46c323b00f31dab5c8ef2773ab2d49711ed90f7f4e20ced1fe754674eef6b9e54916234e5fba

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 b768115a96d5f8be3eb679e11d513b9b
SHA1 cdac281f495f24b9f42e4517b606ced0bd1cfaf4
SHA256 a007156bc84660c1ac47cfa41a32dd70e1b5325c055e12234e14482007dea2c2
SHA512 02a9e663a85d16aa80fcba47f3ba640c77d84f1c1a8a60b73874891fa547a6ea74860c78b51e1340742cce2a689ddf9656f1db2241c137e4c481036670f121a7

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 3aaa3d08eaf7dd2a2bb12c2b6f3cb9d9
SHA1 06fd8d421608d4c39a61281fc6ff8617aff65d36
SHA256 8af5aab393c84b731b653049bf2e76949ef20f2c4762026b5f51f2db390efd9c
SHA512 9c4fba7a643212ade08e4794c64e2b2df44146210a88d0ac32371bb5ab7b0bdb5114e3fbbe9619a7b0f8439f340b79a13bb7c9308e80c75a674faa559d857427

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 24e37faded8c8cdcf5e3f3e7638c5e37
SHA1 3017b091221c6004ea0ee2ca174184d214c0ada3
SHA256 b005fc0079696498a358cc106a49cebd20de249ced46088fb255ea0394b56faf
SHA512 e2f81855e52e3df5937f9ef85ab9fd2f6f3650cd2f088e303f816a767452524711859d121a0f509dd02d2e301b3a3aa4c7b2fcbc796543d70359c18c24528fca

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 3cceb0588202d837d337fa0a7a1c09fd
SHA1 bdc614ef897e1706965f2068fcd5c1c341e83ac0
SHA256 f39b58de901c4f1676d92a6aebffaedcd6600aa716f50d15ade1662eee5d4861
SHA512 52004cc6e12d946b9d235e6a760d656ce514b6eaed0c9b1583a9d751ff7cbb86c763f7fd0398c31575c7ba5e632836c2f908c0d3bf08fc50bd22fd730cbb698f

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 482adcb33f657ffeabdf5fd7171d3461
SHA1 cb102e1a68455c9f3f14e6b0ed31e4e499e8c02e
SHA256 7759d5616ed530e57b08e3bd355c56f89ab5484e8a8beb2a49a23a16508fb4de
SHA512 0d717e19f661c8c76247c3d443bc11f46424d659d5fc1b2f4e313a5923aafdeb80edc1b55d156daae25c8dd9a76987ffde28bce5e3a1b18e6c4c68820d5a997a

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 9891efde8d4595d433d18b13649e6d5a
SHA1 3abd7d561d0f011f3740b50e84acf83a3a283190
SHA256 df7398356504d30a21fe0d0ae79d439ee6b97b63bafee343f83e0639eebb8b10
SHA512 8d386ddf14df628d431a28321611334dd53d275673f506f36b5363a276117a9f74247c7db69c8774403abdad31036b8629468dccb17c279a266a24aba81a8060

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 bea20e9aecfc34e1180314857204f44a
SHA1 3bfeca92470f21fa1b9f990218ece4e262e9dad6
SHA256 9310471e987790d95e680b40003810d2048d0f322e49ca88da1d716753d35029
SHA512 69ca9c0fe30e240d2a136121e932a25699e5202528cb9bc0c075662c480e5139f333e1dd98b955fd1f602cc37a3766e4d73b10e058ac98e9fd4104c65add46d4

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 cc4bcef9541de38ebc6bc9b534cd7398
SHA1 ade1ac554df0005151844f0e3e7a444b977ead57
SHA256 ff7d98d9a5689066354616a1d7ebd024e15987f1a06ca1e70c53959cf9b1c4d1
SHA512 8be922594e1a0cbc49158e167f771365b370165f2ad8bbec3fc51b5a03515a4618d70de10fd4111aa7ddb790a0ee03477b9f847865deacb20a16a278c234b27b

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 333eb42a171dfeac74dc9349f5fa38b2
SHA1 0a4208526f5b82cec2c25e7e6731ecf55868c014
SHA256 7fe7bb64b3190706c2221ef398f12710c09cc121b562818a2d6e7b590e0e4f16
SHA512 7b1fc859091bb6057f8ac6c3624830c77a46b7eda13240759c45252f1393d90f0e2cfef6e7807f95ff942a157a59bf3311b1d0aac0b45522cfbef9eaf6a299b2

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 85267efbc2e2221aff42c713074cbf7c
SHA1 9a590c73b1ce7225ba40e94d771e0912bc871af3
SHA256 36e1d5c01adb117640afb8a46cb0e63300e33b7b4e5793392bbfd76614153e20
SHA512 6f437bb82bda04d0ab900a11dd18a4727deaff5e0097343ad42d39a191f35ae037836673a0e9c93113ec2abf1cb8186bac6ef554154a6c16b1f615dddf836d64

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 d3665af2da781156f10f25fb137b400c
SHA1 ae42e79eee9a3b2e4dcbee4bbb0a3eced1a0f90d
SHA256 aa904e4362103017c36fadd686a9f0879b0e99ec0f027f7246732c14719c859b
SHA512 22c511343aa2c73a57fa09636a0db6e669940ee85c1851ee0408437104466811e23291c5e78af732c559812d6ce6e7204f73ca864d5b64e07e6cf9539d13c82c

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 a67533493867a6ff74a1107c658c5c15
SHA1 648a58bd8a4021c611b1de539bd0b12d22b243cc
SHA256 50d7bcea60bcd7ce037c009034ec5fc5e783ef705cdbb4e5fb25be5154ebc88f
SHA512 e439c3a916afb58fd1cf6347f8e66e8700e02e6da1371d7e00c482a44fe5840cf5f1711b4cf45b97931812b3dbaf2673fc198a3bec5e6707364403b8a8c1f2e4

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 d64e2d72944131b9c22ae8362dfd9f84
SHA1 32edf3ceca580cc5bc073f04cec3113a3af75ac5
SHA256 75453d51a99c50a586c0af202ac3c66cdf5d0703ccc443849841624389486f56
SHA512 52cebed3eaa44afe74af2dc530a17dc46cd2a8df98c5cc4200c7437a9274d9ad72f0ada1533807058e7404b1e48698ab697bf7f610b7462a1bc9e57b79b8a62c

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 1859d09c49a0aa0fbe9b9ec4a7f43811
SHA1 7828bd527db2c2e1b9d88080dc1ad9c228cdd17e
SHA256 b5cb979e87446be2b465b68cc9e67013692a32b64f95b9a0db626f466ae84609
SHA512 c8e34bf6cb37ca10b6158d00e81eada5a1472eca1dba8c988f98cbd7c05c49c824ab7fc1280c970c12041ddca8164297fd5fa708cd141eea6fdc24b4493f5c39

C:\Users\Admin\AppData\Roaming\linuxflowergeo\uploadstrack.exe

MD5 3e9b01a349b5239aaf1a5c4a1b9bdb0f
SHA1 41e4abe3941c9fc1acb74419e2cd03e1015b9788
SHA256 9edbd317560de04ca8930d58168384252a69fccb0c857a4f2391a45cbd57da16
SHA512 44a80aa134e827f21704a50691e1d566d821266d1f7ae92cc3fd24e6ca71c461c49be38c7e72fecbc79138681209b3918a59a7484dc463d0c696d8739c2b1b66