Malware Analysis Report

2024-11-13 18:37

Sample ID 240227-ka4h8scb82
Target a8b06620e9629037953a3a5bc07a0b60
SHA256 c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21

Threat Level: Known bad

The file a8b06620e9629037953a3a5bc07a0b60 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

Xtremerat family

XtremeRAT

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: SetClipboardViewer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 08:24

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 08:24

Reported

2024-02-27 08:27

Platform

win7-20240221-en

Max time kernel

82s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A

Enumerates physical storage devices

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2956 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe

"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wesam.no-ip.org udp

Files

memory/2540-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2540-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2744-11-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2540-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2560-16-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\xp6A9nh.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

memory/2744-18-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1784-21-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2560-22-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2492-25-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1784-26-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1968-29-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2492-30-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2728-33-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1968-34-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2728-35-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 a8b06620e9629037953a3a5bc07a0b60
SHA1 08c35cd4abf5e0945182079e24ec190d97225775
SHA256 c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
SHA512 042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50

memory/2956-44-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\xp6A9nh.cfg

MD5 6b447dc1c41b9b841b80a632a157cda8
SHA1 0c9090b7af7ff19feb8febee5d4d211fd2a3363c
SHA256 0ddbdc07f350b4d91b59583838b5f4c6201c09870d580478c7bd9bfeb85cf27d
SHA512 10e77a4aa507956aff1b3637e28dff532bf2ead0b93aaf5101898dfbca9e185020bbfa2b9125b70f86beb544bf81dae2776a6bc7222ac7268197c043fe88a0d5

memory/792-49-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2716-52-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/792-53-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1376-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2716-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2332-60-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1376-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3004-64-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2332-65-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1296-68-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3004-69-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1936-72-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1296-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1936-74-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1684-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2384-81-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2360-84-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1704-89-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2320-94-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3016-99-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2812-104-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2544-109-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1156-118-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-122-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2352-127-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2384-132-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2788-133-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2360-138-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2764-139-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1704-144-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2392-145-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2320-150-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2736-151-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3016-161-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3228-162-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2812-166-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3316-167-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2544-172-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3384-173-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1156-178-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3496-179-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3040-184-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3544-185-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3656-191-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2352-190-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2788-196-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3796-197-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2764-206-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3952-207-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2392-211-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4052-212-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2736-217-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3176-218-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3228-223-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3160-224-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3316-229-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3420-230-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3384-235-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3720-236-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3496-241-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3308-242-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3544-252-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1200-253-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3656-257-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3300-258-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3796-263-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3912-264-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3952-269-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3328-270-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4052-275-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4256-276-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3176-281-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4368-282-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3160-287-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4468-288-0x0000000000C80000-0x0000000000C93000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3420-298-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4640-299-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3720-303-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4740-304-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3308-309-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4824-310-0x0000000000C80000-0x0000000000C93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 08:24

Reported

2024-02-27 08:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\InstallDir\Server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\InstallDir\Server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\Server.exe C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\Server.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\Server.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\InstallDir\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1464 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\SysWOW64\explorer.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\InstallDir\Server.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\InstallDir\Server.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe C:\Windows\InstallDir\Server.exe
PID 1124 wrote to memory of 1876 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 1876 N/A C:\Windows\InstallDir\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2220 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1124 wrote to memory of 2220 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1124 wrote to memory of 2220 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe
PID 1124 wrote to memory of 2220 N/A C:\Windows\InstallDir\Server.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe

"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\Server.exe

"C:\Windows\InstallDir\Server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
GB 92.123.128.176:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp
US 8.8.8.8:53 wesam.no-ip.org udp

Files

memory/4044-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4044-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4088-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3176-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\xp6A9nh.dat

MD5 84cad01fdb44ae58dbe6c3973dcd87f5
SHA1 4700b42849fb35be323774820bf1bc8019d26c80
SHA256 8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA512 6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

memory/4088-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3176-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/800-14-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1772-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/800-16-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 a8b06620e9629037953a3a5bc07a0b60
SHA1 08c35cd4abf5e0945182079e24ec190d97225775
SHA256 c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
SHA512 042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50

memory/1772-41-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1464-49-0x0000000000C80000-0x0000000000C93000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\xp6A9nh.cfg

MD5 6b447dc1c41b9b841b80a632a157cda8
SHA1 0c9090b7af7ff19feb8febee5d4d211fd2a3363c
SHA256 0ddbdc07f350b4d91b59583838b5f4c6201c09870d580478c7bd9bfeb85cf27d
SHA512 10e77a4aa507956aff1b3637e28dff532bf2ead0b93aaf5101898dfbca9e185020bbfa2b9125b70f86beb544bf81dae2776a6bc7222ac7268197c043fe88a0d5

memory/2220-53-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1688-54-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2220-55-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3164-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1688-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4192-58-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3164-59-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/864-60-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4192-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/864-62-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/368-63-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/368-65-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1124-66-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4268-70-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4268-71-0x0000000077DD7000-0x0000000077DD8000-memory.dmp

memory/1384-72-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4268-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4912-74-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1384-75-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1956-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4912-77-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1956-78-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4444-79-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4436-80-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4444-81-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4436-83-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3328-84-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2428-88-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4816-89-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2428-90-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1348-91-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4816-92-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1348-93-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/232-94-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3820-95-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/232-96-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/116-98-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3820-99-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/680-103-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3444-104-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/680-105-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1768-106-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3444-107-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3208-108-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/1768-109-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4196-110-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3208-111-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/116-112-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4196-113-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/116-114-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4680-116-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/392-120-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/392-121-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2640-123-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5136-125-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5216-128-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5280-131-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5460-140-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5584-142-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5672-145-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5740-148-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5808-151-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5872-154-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/2640-157-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5940-158-0x0000000000C80000-0x0000000000C93000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5136-168-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/6124-169-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5216-171-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5184-172-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5280-175-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4484-176-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5460-179-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3956-180-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5584-183-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5344-184-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5672-187-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5508-188-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5740-191-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5808-192-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5872-193-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5940-194-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/6124-195-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5184-196-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/4484-197-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/3956-198-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5344-199-0x0000000000C80000-0x0000000000C93000-memory.dmp

memory/5508-200-0x0000000000C80000-0x0000000000C93000-memory.dmp