darkcomet | 4a6d7294cd902595eddc8888ef313abf4839b766e5aa3a7e1f7932396862ddc7

Analysis

max time kernel
23s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

6.6MB
MD5

7ccb67211d3217bf81a5cba6646aa71e
SHA1

41ae6435dc0872ebffb2377175eac043c75aa47b
SHA256

4a6d7294cd902595eddc8888ef313abf4839b766e5aa3a7e1f7932396862ddc7
SHA512

91e1e343ef88167847f636cf90aa2aac9cd9c82520f4c4d3cffca072703f8067ec964f62b08a76a6f8350330a21ac8c7306b5cb603d0a8fef0353c47c1b5f43d
SSDEEP

98304:MQU/vazHb9LcFW5ifLq9yigKhlQUxqXR68lY2mzEn/HH3MW:MQqqiipQUxqXm2mzI/HXMW

Score

10^/10

darkcomet guest16 agilenet evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

23.27.245.112:443

Mutex

DC_MUTEX-5SPHHX7

Attributes

gencode
HqxpjeTgUiwn
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
7208	attrib.exe
7532	attrib.exe
8984	attrib.exe
8396	attrib.exe
10588	attrib.exe
1368	attrib.exe
6644	attrib.exe
7512	attrib.exe
5576	attrib.exe
5400	attrib.exe
4656	attrib.exe
9304	attrib.exe
8288	attrib.exe
1988	attrib.exe
9208	attrib.exe
3916	attrib.exe
2712	attrib.exe
7784	attrib.exe
6236	attrib.exe
776	attrib.exe
7988	attrib.exe
9340	attrib.exe
2360	attrib.exe
5940	attrib.exe
5604	attrib.exe
9968	attrib.exe
10060	attrib.exe
4048	attrib.exe
5532	attrib.exe
6968	attrib.exe
7508	attrib.exe
3248	attrib.exe
7260	attrib.exe
3056	attrib.exe
8268	attrib.exe
5688	attrib.exe
9560	attrib.exe
5776	attrib.exe
5856	attrib.exe
8296	attrib.exe
6020	attrib.exe
7540	attrib.exe
8868	attrib.exe
9160	attrib.exe
5228	attrib.exe
7160	attrib.exe
5892	attrib.exe
7212	attrib.exe
2452	attrib.exe
4424	attrib.exe
7072	attrib.exe
8496	attrib.exe
9016	attrib.exe
10280	attrib.exe
7268	attrib.exe
7952	attrib.exe
7940	attrib.exe
4696	attrib.exe
9980	attrib.exe
10228	attrib.exe
4792	attrib.exe
8004	attrib.exe
8164	attrib.exe
8152	attrib.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXEloader.exeLOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	LOADER.EXE

Executes dropped EXE 19 IoCs

Processes:

LOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXELOADER.EXE

pid	process
1656	LOADER.EXE
2224	LOADER.EXE
440	LOADER.EXE
4764	LOADER.EXE
396	LOADER.EXE
4384	LOADER.EXE
3852	LOADER.EXE
2120	LOADER.EXE
4588	LOADER.EXE
5428	LOADER.EXE
5800	LOADER.EXE
5132	LOADER.EXE
5744	LOADER.EXE
5924	LOADER.EXE
776	LOADER.EXE
5824	LOADER.EXE
1068	LOADER.EXE
5604	LOADER.EXE
5800	LOADER.EXE

Obfuscated with Agile.Net obfuscator 61 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BUNIFU.CORE.DLL	agile_net
C:\Users\Admin\AppData\Local\Temp\loader.exe	agile_net
behavioral1/memory/4860-62-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/1656-83-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/2224-85-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/440-99-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/4764-105-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/2536-121-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/396-127-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/4384-140-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/3852-164-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/2120-174-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/4588-182-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5428-187-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5800-197-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5132-215-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5744-219-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5924-236-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/776-237-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5824-256-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/1068-257-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5604-275-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5800-282-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5628-298-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/1500-308-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5140-315-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/3932-326-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6436-336-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6832-343-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5576-350-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6448-369-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6820-371-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6216-385-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5464-390-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5392-406-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/1632-408-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5356-426-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6316-431-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7004-450-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7212-451-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7464-467-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7912-471-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/3840-489-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7620-490-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7772-506-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6412-510-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7280-525-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7476-526-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6488-545-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8160-553-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/3884-557-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/6896-572-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7484-583-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7844-590-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8264-602-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8616-608-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8892-623-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/5240-627-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/7232-644-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8928-648-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net
behavioral1/memory/8568-667-0x0000000000400000-0x0000000000AA5000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

LOADER.EXEOpenWith.exeOpenWith.exeOpenWith.exeLOADER.EXEOpenWith.exeLOADER.EXELOADER.EXELOADER.EXELOADER.EXEOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeLOADER.EXELOADER.EXEOpenWith.exeOpenWith.exeLOADER.EXELOADER.EXEOpenWith.exeLOADER.EXELOADER.EXEOpenWith.exeLOADER.EXEOpenWith.exeOpenWith.exeOpenWith.exeLOADER.EXELOADER.EXEOpenWith.exeOpenWith.exeLOADER.EXEloader.exeLOADER.EXEOpenWith.exeOpenWith.exeLOADER.EXEOpenWith.exeLOADER.EXEOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	loader.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LOADER.EXE
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

loader.exeLOADER.EXELOADER.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	2536	loader.exe
Token: SeSecurityPrivilege	2536	loader.exe
Token: SeTakeOwnershipPrivilege	2536	loader.exe
Token: SeLoadDriverPrivilege	2536	loader.exe
Token: SeSystemProfilePrivilege	2536	loader.exe
Token: SeSystemtimePrivilege	2536	loader.exe
Token: SeProfSingleProcessPrivilege	2536	loader.exe
Token: SeIncBasePriorityPrivilege	2536	loader.exe
Token: SeCreatePagefilePrivilege	2536	loader.exe
Token: SeBackupPrivilege	2536	loader.exe
Token: SeRestorePrivilege	2536	loader.exe
Token: SeShutdownPrivilege	2536	loader.exe
Token: SeDebugPrivilege	2536	loader.exe
Token: SeSystemEnvironmentPrivilege	2536	loader.exe
Token: SeChangeNotifyPrivilege	2536	loader.exe
Token: SeRemoteShutdownPrivilege	2536	loader.exe
Token: SeUndockPrivilege	2536	loader.exe
Token: SeManageVolumePrivilege	2536	loader.exe
Token: SeImpersonatePrivilege	2536	loader.exe
Token: SeCreateGlobalPrivilege	2536	loader.exe
Token: 33	2536	loader.exe
Token: 34	2536	loader.exe
Token: 35	2536	loader.exe
Token: 36	2536	loader.exe
Token: SeIncreaseQuotaPrivilege	4860	LOADER.EXE
Token: SeSecurityPrivilege	4860	LOADER.EXE
Token: SeTakeOwnershipPrivilege	4860	LOADER.EXE
Token: SeLoadDriverPrivilege	4860	LOADER.EXE
Token: SeSystemProfilePrivilege	4860	LOADER.EXE
Token: SeSystemtimePrivilege	4860	LOADER.EXE
Token: SeProfSingleProcessPrivilege	4860	LOADER.EXE
Token: SeIncBasePriorityPrivilege	4860	LOADER.EXE
Token: SeCreatePagefilePrivilege	4860	LOADER.EXE
Token: SeBackupPrivilege	4860	LOADER.EXE
Token: SeRestorePrivilege	4860	LOADER.EXE
Token: SeShutdownPrivilege	4860	LOADER.EXE
Token: SeDebugPrivilege	4860	LOADER.EXE
Token: SeSystemEnvironmentPrivilege	4860	LOADER.EXE
Token: SeChangeNotifyPrivilege	4860	LOADER.EXE
Token: SeRemoteShutdownPrivilege	4860	LOADER.EXE
Token: SeUndockPrivilege	4860	LOADER.EXE
Token: SeManageVolumePrivilege	4860	LOADER.EXE
Token: SeImpersonatePrivilege	4860	LOADER.EXE
Token: SeCreateGlobalPrivilege	4860	LOADER.EXE
Token: 33	4860	LOADER.EXE
Token: 34	4860	LOADER.EXE
Token: 35	4860	LOADER.EXE
Token: 36	4860	LOADER.EXE
Token: SeIncreaseQuotaPrivilege	1656	LOADER.EXE
Token: SeSecurityPrivilege	1656	LOADER.EXE
Token: SeTakeOwnershipPrivilege	1656	LOADER.EXE
Token: SeLoadDriverPrivilege	1656	LOADER.EXE
Token: SeSystemProfilePrivilege	1656	LOADER.EXE
Token: SeSystemtimePrivilege	1656	LOADER.EXE
Token: SeProfSingleProcessPrivilege	1656	LOADER.EXE
Token: SeIncBasePriorityPrivilege	1656	LOADER.EXE
Token: SeCreatePagefilePrivilege	1656	LOADER.EXE
Token: SeBackupPrivilege	1656	LOADER.EXE
Token: SeRestorePrivilege	1656	LOADER.EXE
Token: SeShutdownPrivilege	1656	LOADER.EXE
Token: SeDebugPrivilege	1656	LOADER.EXE
Token: SeSystemEnvironmentPrivilege	1656	LOADER.EXE
Token: SeChangeNotifyPrivilege	1656	LOADER.EXE
Token: SeRemoteShutdownPrivilege	1656	LOADER.EXE

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

OpenWith.exeOpenWith.exeloader.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
4792	OpenWith.exe
2740	OpenWith.exe
2536	loader.exe
1504	OpenWith.exe
1188	OpenWith.exe
4540	OpenWith.exe
3296	OpenWith.exe
1916	OpenWith.exe
2716	OpenWith.exe
3884	OpenWith.exe
1356	OpenWith.exe
3204	OpenWith.exe
768	OpenWith.exe
2680	OpenWith.exe
4424	OpenWith.exe
3660	OpenWith.exe
1516	OpenWith.exe
1608	OpenWith.exe
2612	OpenWith.exe
5136	OpenWith.exe
5464	OpenWith.exe
5392	OpenWith.exe
5748	OpenWith.exe
5832	OpenWith.exe
6092	OpenWith.exe
4656	OpenWith.exe
5560	OpenWith.exe
3884	OpenWith.exe
5736	OpenWith.exe
6000	OpenWith.exe
1064	OpenWith.exe
6000	OpenWith.exe
6000	OpenWith.exe
6000	OpenWith.exe
6000	OpenWith.exe
4576	OpenWith.exe
5816	OpenWith.exe
6092	OpenWith.exe
5148	OpenWith.exe
1456	OpenWith.exe
3424	OpenWith.exe
5552	OpenWith.exe
5768	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loader.execmd.execmd.exeLOADER.EXEcmd.execmd.exeLOADER.EXEcmd.execmd.exeLOADER.EXEcmd.execmd.exe

description	pid	process	target process
PID 2536 wrote to memory of 4376	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4376	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4376	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4060	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4060	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4060	2536	loader.exe	cmd.exe
PID 2536 wrote to memory of 4860	2536	loader.exe	LOADER.EXE
PID 2536 wrote to memory of 4860	2536	loader.exe	LOADER.EXE
PID 2536 wrote to memory of 4860	2536	loader.exe	LOADER.EXE
PID 4376 wrote to memory of 3916	4376	cmd.exe	attrib.exe
PID 4376 wrote to memory of 3916	4376	cmd.exe	attrib.exe
PID 4376 wrote to memory of 3916	4376	cmd.exe	attrib.exe
PID 4060 wrote to memory of 3864	4060	cmd.exe	attrib.exe
PID 4060 wrote to memory of 3864	4060	cmd.exe	attrib.exe
PID 4060 wrote to memory of 3864	4060	cmd.exe	attrib.exe
PID 4860 wrote to memory of 4428	4860	LOADER.EXE	cmd.exe
PID 4860 wrote to memory of 4428	4860	LOADER.EXE	cmd.exe
PID 4860 wrote to memory of 4428	4860	LOADER.EXE	cmd.exe
PID 4860 wrote to memory of 556	4860	LOADER.EXE	cmd.exe
PID 4860 wrote to memory of 556	4860	LOADER.EXE	cmd.exe
PID 4860 wrote to memory of 556	4860	LOADER.EXE	cmd.exe
PID 556 wrote to memory of 3424	556	cmd.exe	OpenWith.exe
PID 556 wrote to memory of 3424	556	cmd.exe	OpenWith.exe
PID 556 wrote to memory of 3424	556	cmd.exe	OpenWith.exe
PID 4428 wrote to memory of 4200	4428	cmd.exe	attrib.exe
PID 4428 wrote to memory of 4200	4428	cmd.exe	attrib.exe
PID 4428 wrote to memory of 4200	4428	cmd.exe	attrib.exe
PID 4860 wrote to memory of 1656	4860	LOADER.EXE	Conhost.exe
PID 4860 wrote to memory of 1656	4860	LOADER.EXE	Conhost.exe
PID 4860 wrote to memory of 1656	4860	LOADER.EXE	Conhost.exe
PID 2536 wrote to memory of 1304	2536	loader.exe	iexplore.exe
PID 2536 wrote to memory of 1304	2536	loader.exe	iexplore.exe
PID 2536 wrote to memory of 1304	2536	loader.exe	iexplore.exe
PID 2536 wrote to memory of 336	2536	loader.exe	explorer.exe
PID 2536 wrote to memory of 336	2536	loader.exe	explorer.exe
PID 1656 wrote to memory of 3380	1656	LOADER.EXE	cmd.exe
PID 1656 wrote to memory of 3380	1656	LOADER.EXE	cmd.exe
PID 1656 wrote to memory of 3380	1656	LOADER.EXE	cmd.exe
PID 1656 wrote to memory of 4420	1656	LOADER.EXE	cmd.exe
PID 1656 wrote to memory of 4420	1656	LOADER.EXE	cmd.exe
PID 1656 wrote to memory of 4420	1656	LOADER.EXE	cmd.exe
PID 3380 wrote to memory of 2824	3380	cmd.exe	attrib.exe
PID 3380 wrote to memory of 2824	3380	cmd.exe	attrib.exe
PID 3380 wrote to memory of 2824	3380	cmd.exe	attrib.exe
PID 4420 wrote to memory of 2432	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 2432	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 2432	4420	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2224	1656	LOADER.EXE	LOADER.EXE
PID 1656 wrote to memory of 2224	1656	LOADER.EXE	LOADER.EXE
PID 1656 wrote to memory of 2224	1656	LOADER.EXE	LOADER.EXE
PID 2224 wrote to memory of 4364	2224	LOADER.EXE	cmd.exe
PID 2224 wrote to memory of 4364	2224	LOADER.EXE	cmd.exe
PID 2224 wrote to memory of 4364	2224	LOADER.EXE	cmd.exe
PID 2224 wrote to memory of 3624	2224	LOADER.EXE	cmd.exe
PID 2224 wrote to memory of 3624	2224	LOADER.EXE	cmd.exe
PID 2224 wrote to memory of 3624	2224	LOADER.EXE	cmd.exe
PID 4364 wrote to memory of 432	4364	cmd.exe	Conhost.exe
PID 4364 wrote to memory of 432	4364	cmd.exe	Conhost.exe
PID 4364 wrote to memory of 432	4364	cmd.exe	Conhost.exe
PID 2224 wrote to memory of 440	2224	LOADER.EXE	LOADER.EXE
PID 2224 wrote to memory of 440	2224	LOADER.EXE	LOADER.EXE
PID 2224 wrote to memory of 440	2224	LOADER.EXE	LOADER.EXE
PID 3624 wrote to memory of 3304	3624	cmd.exe	attrib.exe
PID 3624 wrote to memory of 3304	3624	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
3248	attrib.exe
5400	attrib.exe
10264	attrib.exe
7268	attrib.exe
7328	attrib.exe
8920	attrib.exe
8220	attrib.exe
2872	attrib.exe
396	attrib.exe
2716	attrib.exe
5332	attrib.exe
8164	attrib.exe
7952	attrib.exe
7508	attrib.exe
5796	attrib.exe
5228	attrib.exe
6800	attrib.exe
7640	attrib.exe
4448	attrib.exe
3900	attrib.exe
10228	attrib.exe
6060	attrib.exe
5736	attrib.exe
5776	attrib.exe
7520	attrib.exe
7776	attrib.exe
6036	attrib.exe
8332	attrib.exe
7244	attrib.exe
432	attrib.exe
3304	attrib.exe
3688	attrib.exe
6236	attrib.exe
776	attrib.exe
1916	attrib.exe
9504	attrib.exe
5576	attrib.exe
6400	attrib.exe
7668	attrib.exe
7776	attrib.exe
9212	attrib.exe
8296	attrib.exe
8936	attrib.exe
10280	attrib.exe
5400	attrib.exe
6388	attrib.exe
7696	attrib.exe
8496	attrib.exe
9560	attrib.exe
4696	attrib.exe
10564	attrib.exe
3364	attrib.exe
3616	attrib.exe
4708	attrib.exe
9160	attrib.exe
8004	attrib.exe
6644	attrib.exe
6412	attrib.exe
3916	attrib.exe
2204	attrib.exe
5352	attrib.exe
4072	attrib.exe
2712	attrib.exe
9960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\loader.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\loader.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
4⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
5⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
6⤵
- Views/modifies file attributes
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
- Views/modifies file attributes
PID:3304

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
6⤵
PID:4704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
7⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
PID:3068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
7⤵
- Views/modifies file attributes
PID:3364

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
7⤵
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
8⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
7⤵
PID:2780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
8⤵
- Views/modifies file attributes
PID:2204

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
8⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
9⤵
- Sets file to hidden
PID:4424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
8⤵
PID:1708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
9⤵
- Views/modifies file attributes
PID:3616

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
9⤵
PID:3860

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
10⤵
- Views/modifies file attributes
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
9⤵
PID:4084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
10⤵
- Views/modifies file attributes
PID:2716

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
10⤵
PID:644

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
11⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
10⤵
PID:760

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3248

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
11⤵
PID:4828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
12⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
11⤵
PID:992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
12⤵
- Sets file to hidden
PID:2360

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
12⤵
PID:5204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
13⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
12⤵
PID:5220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
13⤵
- Views/modifies file attributes
PID:5352

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
13⤵
PID:5544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
14⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
13⤵
PID:5568

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
14⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
14⤵
PID:5912

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
15⤵
PID:6048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
14⤵
PID:5928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
15⤵
- Views/modifies file attributes
PID:6060

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
15⤵
PID:5256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:5312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
16⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
15⤵
PID:5316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
16⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
16⤵
PID:3656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
17⤵
- Views/modifies file attributes
PID:5332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
16⤵
PID:5176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
17⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
17⤵
PID:2432

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
18⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
17⤵
PID:3704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
18⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
18⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:1656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
19⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
18⤵
PID:6128

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
19⤵
- Views/modifies file attributes
PID:4072

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
19⤵
PID:2940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
20⤵
- Views/modifies file attributes
PID:5796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
19⤵
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2712

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
20⤵
PID:5748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:452

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
21⤵
- Views/modifies file attributes
PID:5736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
20⤵
PID:468

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
21⤵
- Sets file to hidden
PID:1368

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
21⤵
PID:4980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
22⤵
- Sets file to hidden
PID:5940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
21⤵
PID:5528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
22⤵
- Views/modifies file attributes
PID:5400

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
21⤵
- Executes dropped EXE
PID:5800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
22⤵
PID:1608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
22⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:5352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5400

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
22⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
23⤵
PID:5700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
24⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
23⤵
PID:1940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
24⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
23⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
24⤵
PID:2360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
25⤵
- Views/modifies file attributes
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
24⤵
PID:1068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
25⤵
- Sets file to hidden
PID:4656

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
24⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
25⤵
PID:5664

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
26⤵
PID:5188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
25⤵
PID:2288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
26⤵
PID:5800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5228

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
25⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
26⤵
PID:6228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
27⤵
- Views/modifies file attributes
PID:6388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
26⤵
PID:6264

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
27⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
26⤵
PID:6436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
27⤵
PID:6588

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
28⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
27⤵
PID:6600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
28⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
27⤵
PID:6832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
28⤵
PID:6948

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
29⤵
PID:7088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
28⤵
PID:6980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
29⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
28⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
29⤵
PID:6424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
30⤵
- Sets file to hidden
PID:5532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
29⤵
PID:1132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
30⤵
PID:432

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
30⤵
- Sets file to hidden
PID:5604

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
29⤵
PID:6448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
30⤵
PID:6204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
31⤵
PID:6968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
30⤵
PID:6720

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
31⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6236

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
30⤵
PID:6820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
31⤵
PID:3968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
32⤵
- Sets file to hidden
- Views/modifies file attributes
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
31⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
32⤵
PID:5736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
32⤵
- Sets file to hidden
PID:5856

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
31⤵
PID:6216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
32⤵
PID:5768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
33⤵
- Views/modifies file attributes
PID:6800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
32⤵
PID:376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
33⤵
- Sets file to hidden
PID:7160

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
32⤵
PID:5464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
33⤵
PID:7136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
34⤵
- Views/modifies file attributes
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
33⤵
PID:6244

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
34⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
33⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
34⤵
PID:3372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
35⤵
- Sets file to hidden
PID:7072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
34⤵
PID:7120

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
35⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
34⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
35⤵
PID:6168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
36⤵
- Sets file to hidden
PID:6968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
35⤵
PID:6924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
36⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6644

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
35⤵
PID:5356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
36⤵
PID:1480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
37⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
36⤵
PID:6392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
37⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
36⤵
PID:6316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
37⤵
PID:7148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
38⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
37⤵
PID:6744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
38⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
37⤵
PID:7004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
38⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
39⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
38⤵
PID:2292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
39⤵
PID:7172

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
38⤵
PID:7212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
39⤵
PID:7340

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
40⤵
- Sets file to hidden
PID:7512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
39⤵
PID:7364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
40⤵
- Views/modifies file attributes
PID:7520

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
39⤵
PID:7464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
40⤵
PID:7600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
41⤵
PID:7792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
40⤵
PID:7648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
41⤵
- Views/modifies file attributes
PID:7776

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
40⤵
PID:7912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
41⤵
PID:8024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
42⤵
PID:8172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
41⤵
PID:8048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
42⤵
- Sets file to hidden
- Views/modifies file attributes
PID:8164

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
41⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
42⤵
PID:7388

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
43⤵
PID:6508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
42⤵
PID:7436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
43⤵
- Views/modifies file attributes
PID:6412

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
42⤵
PID:7620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
43⤵
PID:7812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
44⤵
- Views/modifies file attributes
PID:7696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
43⤵
PID:7920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7268

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
43⤵
PID:7772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
44⤵
PID:7556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
45⤵
- Views/modifies file attributes
PID:7640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
44⤵
PID:7308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
45⤵
- Sets file to hidden
PID:5892

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
44⤵
PID:6412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
45⤵
PID:7816

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
46⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
45⤵
PID:7204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
46⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
45⤵
PID:7280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
46⤵
PID:6420

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
47⤵
- Views/modifies file attributes
PID:7328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
46⤵
PID:6180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
47⤵
- Sets file to hidden
PID:6020

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
46⤵
PID:7476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
47⤵
PID:7596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
48⤵
- Sets file to hidden
PID:7260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
47⤵
PID:7660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
48⤵
- Sets file to hidden
PID:8152

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
47⤵
PID:6488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
48⤵
PID:6512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
49⤵
- Views/modifies file attributes
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
48⤵
PID:7328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
49⤵
- Sets file to hidden
PID:7784

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
48⤵
PID:8160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
49⤵
PID:7608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
50⤵
- Sets file to hidden
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
49⤵
PID:6568

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
50⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
49⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
50⤵
PID:7836

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
51⤵
PID:8164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
50⤵
PID:7316

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
51⤵
- Views/modifies file attributes
PID:7668

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
50⤵
PID:6896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
51⤵
PID:1980

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
52⤵
- Sets file to hidden
PID:7208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
51⤵
PID:8164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
52⤵
- Sets file to hidden
PID:7540

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
51⤵
PID:7484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
52⤵
PID:7540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
53⤵
PID:7640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
52⤵
PID:4556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
53⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7508

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
52⤵
PID:7844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
53⤵
PID:8180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
54⤵
- Views/modifies file attributes
PID:7776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
53⤵
PID:6516

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
54⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
53⤵
PID:8264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
54⤵
PID:8360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
55⤵
- Sets file to hidden
- Views/modifies file attributes
PID:8496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
54⤵
PID:8404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
55⤵
PID:8520

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
54⤵
PID:8616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
55⤵
PID:8728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
56⤵
PID:8860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
55⤵
PID:8760

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
56⤵
- Sets file to hidden
PID:8868

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
55⤵
PID:8892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
56⤵
PID:9036

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
57⤵
- Views/modifies file attributes
PID:9212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
56⤵
PID:9084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
57⤵
PID:7904

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
56⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
57⤵
PID:5484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
58⤵
PID:8500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
57⤵
PID:7864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
58⤵
PID:8524

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
57⤵
PID:7232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
58⤵
PID:6528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
59⤵
PID:7844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
58⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
59⤵
PID:8868

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
58⤵
PID:8928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
59⤵
PID:9092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
60⤵
- Sets file to hidden
PID:7212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
59⤵
PID:9164

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
60⤵
- Views/modifies file attributes
PID:3900

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
59⤵
PID:8568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
60⤵
PID:8716

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
61⤵
- Sets file to hidden
PID:7940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
60⤵
PID:8372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
61⤵
- Views/modifies file attributes
PID:8332

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
60⤵
PID:7064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
61⤵
PID:8988

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
62⤵
- Sets file to hidden
PID:7988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
61⤵
PID:8952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
62⤵
- Sets file to hidden
PID:8288

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
61⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
62⤵
PID:2248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
63⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
62⤵
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
63⤵
- Sets file to hidden
PID:7532

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
62⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
63⤵
PID:9104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
64⤵
- Sets file to hidden
- Views/modifies file attributes
PID:9160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
63⤵
PID:9196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
64⤵
- Sets file to hidden
PID:8984

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
63⤵
PID:9016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
64⤵
PID:956

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
65⤵
PID:7776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
64⤵
PID:8496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
65⤵
- Views/modifies file attributes
PID:8920

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
64⤵
PID:8948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
65⤵
PID:5032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
66⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
65⤵
PID:6000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
66⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
65⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
66⤵
PID:5300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
67⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
66⤵
PID:7776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
67⤵
PID:8520

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
66⤵
PID:9200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
67⤵
PID:7208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
68⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
67⤵
PID:8172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
68⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
67⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
68⤵
PID:2728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
69⤵
PID:8248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
68⤵
PID:876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
69⤵
- Sets file to hidden
- Views/modifies file attributes
PID:8296

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
68⤵
PID:8896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
69⤵
PID:8864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
70⤵
PID:8560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
69⤵
PID:6896

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
70⤵
PID:8908

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
69⤵
PID:5304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
70⤵
PID:7528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
71⤵
- Sets file to hidden
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
70⤵
PID:8908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
71⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
70⤵
PID:8572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
71⤵
PID:4448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
72⤵
- Sets file to hidden
PID:9016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
71⤵
PID:8484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
72⤵
PID:8788

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
71⤵
PID:9264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
72⤵
PID:9364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
73⤵
- Views/modifies file attributes
PID:9504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
72⤵
PID:9380

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
73⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
72⤵
PID:9592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
73⤵
PID:9692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
74⤵
PID:9832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
73⤵
PID:9700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
74⤵
PID:9808

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
73⤵
PID:9904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
74⤵
PID:10000

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
75⤵
PID:10152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
74⤵
PID:10008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
75⤵
PID:10124

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
74⤵
PID:7108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
75⤵
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
76⤵
- Views/modifies file attributes
PID:8220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
75⤵
PID:9116

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
76⤵
- Views/modifies file attributes
PID:8936

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
75⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
76⤵
PID:9728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
77⤵
- Views/modifies file attributes
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
76⤵
PID:9740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
77⤵
- Views/modifies file attributes
PID:7244

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
76⤵
PID:9344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
77⤵
PID:5480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
78⤵
PID:9544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
77⤵
PID:10188

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
78⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
77⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
78⤵
PID:8936

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
79⤵
- Sets file to hidden
- Views/modifies file attributes
PID:10228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
78⤵
PID:8256

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
79⤵
- Sets file to hidden
PID:8268

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
78⤵
PID:9908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
79⤵
PID:10208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
80⤵
- Views/modifies file attributes
PID:6400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
79⤵
PID:9220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
80⤵
PID:8536

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
79⤵
PID:9532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
80⤵
PID:3248

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
81⤵
- Views/modifies file attributes
PID:9960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
80⤵
PID:9628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
81⤵
- Sets file to hidden
PID:9968

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
80⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
81⤵
PID:2652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
82⤵
PID:9356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
81⤵
PID:9528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
82⤵
- Sets file to hidden
PID:10060

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
81⤵
PID:10184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
82⤵
PID:9632

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
83⤵
- Sets file to hidden
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
82⤵
PID:7928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
83⤵
PID:9112

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
82⤵
PID:7740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
83⤵
PID:9680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
84⤵
- Sets file to hidden
PID:9340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
83⤵
PID:3576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
84⤵
PID:9312

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
83⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
84⤵
PID:9572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
85⤵
- Sets file to hidden
PID:8396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
84⤵
PID:8536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
85⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
84⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
85⤵
PID:1916

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
86⤵
- Sets file to hidden
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
85⤵
PID:6784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
86⤵
PID:9332

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
85⤵
PID:5460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
86⤵
PID:5500

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
87⤵
PID:7172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
86⤵
PID:9984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
87⤵
- Sets file to hidden
- Views/modifies file attributes
PID:8004

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
86⤵
PID:9880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
87⤵
PID:8872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
88⤵
- Views/modifies file attributes
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
87⤵
PID:1364

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
88⤵
- Sets file to hidden
PID:4048

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
87⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
88⤵
PID:1944

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
89⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
88⤵
PID:5232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
89⤵
- Views/modifies file attributes
PID:6036

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
88⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
89⤵
PID:7768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
90⤵
- Sets file to hidden
PID:9304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
89⤵
PID:9244

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
90⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4696

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
89⤵
PID:7172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
90⤵
PID:5200

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
91⤵
PID:8220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
90⤵
PID:2308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
91⤵
- Sets file to hidden
PID:9980

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
90⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
91⤵
PID:10220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
92⤵
PID:6288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
91⤵
PID:9648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
92⤵
- Sets file to hidden
PID:9208

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
91⤵
PID:9336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
92⤵
PID:3672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
93⤵
- Sets file to hidden
PID:5688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
92⤵
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
93⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5576

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
92⤵
PID:9644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
93⤵
PID:9308

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
94⤵
- Sets file to hidden
- Views/modifies file attributes
PID:9560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
93⤵
PID:10164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
94⤵
PID:3852

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
94⤵
PID:8860

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
93⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
94⤵
PID:9208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
95⤵
PID:7976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
94⤵
PID:6360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
95⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
94⤵
PID:7976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
95⤵
PID:9656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
96⤵
- Sets file to hidden
- Views/modifies file attributes
PID:10280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
95⤵
PID:9624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
96⤵
- Views/modifies file attributes
PID:10264

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
95⤵
PID:10356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
96⤵
PID:10456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
97⤵
- Sets file to hidden
PID:10588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
96⤵
PID:10472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
97⤵
- Views/modifies file attributes
PID:10564

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
96⤵
PID:10688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
97⤵
PID:10784

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE" +s +h
98⤵
PID:10912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
97⤵
PID:10800

C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
97⤵
PID:10972

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:1304

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7660

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7940

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7236

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7208

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7772

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4236

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10380

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10936

C:\Windows\System32\ThumbnailExtractionHost.exe
C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding
1⤵
PID:10964

C:\Windows\System32\ThumbnailExtractionHost.exe
C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding
1⤵
PID:11028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11144

C:\Windows\System32\ThumbnailExtractionHost.exe
C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding
1⤵
PID:11188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BUNIFU.CORE.DLL
Filesize
2.5MB

MD5
d9f830dffedbb2bc371fa60784c01221

SHA1
d6a778249e05ee04c2e5e386c31f88598338ab84

SHA256
5f72650f6d3a4a9b77bcdd74159282fcf724bd34afb989df6b6e075ea1dd6bc3

SHA512
e8e7c712638e0aace109e0587cc4421697e1c6cacb64ff5d56efbe570615d72e72b5dd3afadd468e59116b1ed1326b25c459d5f2110b9d643bfca750825efd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUNIFU_UI_V1.5.3.DLL
Filesize
323KB

MD5
e0ef2817ee5a7c8cd1eb837195768bd2

SHA1
426ea1e201c7d3dc3fadce976536edce4cd51bce

SHA256
76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

SHA512
5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORDRPC.DLL
Filesize
84KB

MD5
696eb4e3427fb28b1b19465ee9609037

SHA1
d35b5c6d4bf4dd15efe73bf5684642170ba64e88

SHA256
db2e9346343257ba243adf620630f223dda14117cef4159228660395065e17a5

SHA512
a8ee6a772e56642a6f0710c02abf20db024cd9c0c380f776cc1eeb8c16cb685814c2b4a58a8dfc29211b26c54666c415285ac2944ceb9f584964b7d3758cec78

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE.CONFIG
Filesize
1KB

MD5
c0911d7b16e774d79b85d170e367dfee

SHA1
36761b772e82f4f7cef9f92c8290e7bb5ae05695

SHA256
0f5b7f517b6f7858b412996be3777073e46059c40d5334ce9e3b5e5c2c62dbe0

SHA512
e1078d5688969ee4b54e00994e6f84a1ed1153ea2749028000ed0403c3303fb00f7291e220991a61b44673fab1189e088008345c458fdca0e0b4c642b19d6007

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.PDB
Filesize
125KB

MD5
a3a7e44468e399351cbb03ddfb49cbcd

SHA1
2939d8ec534b5d3f4af9d04bbbea44e5e981661a

SHA256
449aed2cf09d677eb8d1b72a15cc8059d633e83b2bf3d11ea7ff7e3d79b08eb2

SHA512
3a86d2362a452284eab1e3e670dbd37fa6a17b38d8554234d90aec38fbabf483ae9872d062535ae37333dd12bdfabec824bc0bd7d69eaa5ed6968633fe378c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\SITICONE.UI.DLL
Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe
Filesize
6.6MB

MD5
7ccb67211d3217bf81a5cba6646aa71e

SHA1
41ae6435dc0872ebffb2377175eac043c75aa47b

SHA256
4a6d7294cd902595eddc8888ef313abf4839b766e5aa3a7e1f7932396862ddc7

SHA512
91e1e343ef88167847f636cf90aa2aac9cd9c82520f4c4d3cffca072703f8067ec964f62b08a76a6f8350330a21ac8c7306b5cb603d0a8fef0353c47c1b5f43d

Download Submit
memory/396-127-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/396-84-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/440-99-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/440-45-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/776-237-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/776-214-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1068-235-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1068-257-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/1500-274-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1500-308-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/1632-408-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/1632-386-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1656-20-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1656-83-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/2120-139-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2120-174-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/2224-85-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/2224-31-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2536-0-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2536-121-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/2892-695-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3840-456-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3840-489-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3852-164-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3852-122-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3884-535-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3884-557-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3932-326-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3932-294-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4384-140-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/4384-104-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4588-182-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/4588-154-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4764-105-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/4764-61-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/4860-62-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/4860-6-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5132-185-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/5132-215-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5140-315-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5140-285-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/5240-606-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/5240-627-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5300-654-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/5304-735-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5356-395-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/5356-426-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5392-406-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5428-163-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/5428-187-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5464-366-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/5464-390-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5576-325-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/5576-350-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5604-245-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/5604-275-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5628-298-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5628-265-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5672-666-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/5744-195-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/5744-219-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5800-197-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5800-255-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/5800-173-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/5800-282-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5824-225-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5824-256-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/5924-203-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/5924-236-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6216-356-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/6216-385-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6316-431-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6316-405-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/6412-510-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6436-336-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6436-304-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/6448-369-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6448-335-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/6488-545-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6820-371-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6820-347-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/6832-343-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/6832-314-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/6896-544-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/6896-572-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7004-450-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7004-415-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/7064-647-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/7212-451-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7212-424-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/7232-615-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/7232-644-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7280-525-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7280-495-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/7464-434-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/7464-467-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7476-526-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7476-505-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/7484-556-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/7484-583-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7620-490-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7620-465-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/7772-476-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/7772-506-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7844-590-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7844-566-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/7912-471-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/7912-445-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/8160-553-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8160-524-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/8264-602-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8264-575-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/8568-636-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/8568-667-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8616-608-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8616-586-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/8892-623-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8892-595-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/8896-725-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/8928-626-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/8928-648-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/8948-686-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/9200-706-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download