xtremerat | 1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536

Analysis

max time kernel
67s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Size

226KB
MD5

ea95c71d3c8f55d6a51ae43dd9cde9d9
SHA1

25460dbd2c7e996de80285971e787fb83e38d32e
SHA256

1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
SHA512

789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
SSDEEP

6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

a411.no-ip.info

Signatures

Detect XtremeRAT payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1696-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1696-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/728-29-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1696-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4476-46-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4476-50-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4476-55-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4000-69-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4000-95-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3848-118-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4000-120-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	tim.exe

Executes dropped EXE 64 IoCs

Processes:

tim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

pid	process
1664	tim.exe
4476	tim.exe
796	tim.exe
4000	tim.exe
760	tim.exe
2032	tim.exe
1412	tim.exe
3848	tim.exe
1644	tim.exe
1468	tim.exe
4388	tim.exe
4556	tim.exe
3580	tim.exe
920	tim.exe
4552	tim.exe
1980	tim.exe
2368	tim.exe
4732	tim.exe
3672	tim.exe
3456	tim.exe
4124	tim.exe
4896	tim.exe
1372	tim.exe
456	tim.exe
932	tim.exe
4168	tim.exe
3076	tim.exe
856	tim.exe
2316	tim.exe
2952	tim.exe
800	tim.exe
4924	tim.exe
348	tim.exe
3184	tim.exe
1472	tim.exe
4860	tim.exe
2644	tim.exe
4988	tim.exe
3256	tim.exe
3700	tim.exe
1072	tim.exe
1492	tim.exe
1604	tim.exe
2116	tim.exe
4348	tim.exe
2312	tim.exe
2316	tim.exe
476	tim.exe
2512	tim.exe
3924	tim.exe
456	tim.exe
2188	tim.exe
5056	tim.exe
3976	tim.exe
2376	tim.exe
5132	tim.exe
5164	tim.exe
5348	tim.exe
5440	tim.exe
5500	tim.exe
5536	tim.exe
5720	tim.exe
5768	tim.exe
5936	tim.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1696-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1696-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1696-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1696-16-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/728-29-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1696-32-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4476-44-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4476-46-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4476-50-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4476-55-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4000-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4000-69-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4000-95-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3848-118-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4000-120-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Suspicious use of SetThreadContext 35 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	pid	process	target process
PID 4832 set thread context of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1664 set thread context of 4476	1664	tim.exe	tim.exe
PID 796 set thread context of 4000	796	tim.exe	tim.exe
PID 760 set thread context of 2032	760	tim.exe	tim.exe
PID 1412 set thread context of 3848	1412	tim.exe	tim.exe
PID 1644 set thread context of 1468	1644	tim.exe	tim.exe
PID 4388 set thread context of 4556	4388	tim.exe	tim.exe
PID 3580 set thread context of 920	3580	tim.exe	tim.exe
PID 4552 set thread context of 1980	4552	tim.exe	tim.exe
PID 2368 set thread context of 4732	2368	tim.exe	tim.exe
PID 3672 set thread context of 3456	3672	tim.exe	tim.exe
PID 4124 set thread context of 4896	4124	tim.exe	tim.exe
PID 1372 set thread context of 456	1372	tim.exe	tim.exe
PID 932 set thread context of 4168	932	tim.exe	tim.exe
PID 3076 set thread context of 856	3076	tim.exe	tim.exe
PID 2316 set thread context of 2952	2316	tim.exe	tim.exe
PID 4924 set thread context of 348	4924	tim.exe	tim.exe
PID 3184 set thread context of 1472	3184	tim.exe	tim.exe
PID 4860 set thread context of 2644	4860	tim.exe	tim.exe
PID 800 set thread context of 4988	800	tim.exe	tim.exe
PID 3256 set thread context of 3700	3256	tim.exe	tim.exe
PID 1072 set thread context of 1492	1072	tim.exe	tim.exe
PID 1604 set thread context of 2116	1604	tim.exe	tim.exe
PID 4348 set thread context of 2312	4348	tim.exe	tim.exe
PID 2316 set thread context of 476	2316	tim.exe	tim.exe
PID 2512 set thread context of 3924	2512	tim.exe	tim.exe
PID 456 set thread context of 2188	456	tim.exe	tim.exe
PID 3976 set thread context of 2376	3976	tim.exe	tim.exe
PID 5132 set thread context of 5164	5132	tim.exe	tim.exe
PID 5056 set thread context of 5348	5056	tim.exe	tim.exe
PID 5500 set thread context of 5536	5500	tim.exe	tim.exe
PID 5720 set thread context of 5768	5720	tim.exe	tim.exe
PID 5936 set thread context of 5972	5936	tim.exe	tim.exe
PID 6044 set thread context of 6132	6044	tim.exe	tim.exe
PID 5440 set thread context of 5240	5440	tim.exe	tim.exe

Drops file in Windows directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File created	C:\Windows\winar\tim.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\tim.exe	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe
File opened for modification	C:\Windows\winar\	tim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tim.exetim.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exetim.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	tim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	tim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tim.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

pid	process
4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
1664	tim.exe
796	tim.exe
760	tim.exe
1412	tim.exe
1644	tim.exe
4388	tim.exe
3580	tim.exe
4552	tim.exe
2368	tim.exe
3672	tim.exe
4124	tim.exe
1372	tim.exe
932	tim.exe
3076	tim.exe
2316	tim.exe
4924	tim.exe
3184	tim.exe
4860	tim.exe
800	tim.exe
3256	tim.exe
1072	tim.exe
1604	tim.exe
4348	tim.exe
2316	tim.exe
2512	tim.exe
456	tim.exe
3976	tim.exe
5132	tim.exe
5056	tim.exe
5500	tim.exe
5720	tim.exe
5936	tim.exe
6044	tim.exe
5440	tim.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exeea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exetim.exetim.exe

description	pid	process	target process
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 4832 wrote to memory of 1696	4832	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
PID 1696 wrote to memory of 728	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 1696 wrote to memory of 728	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 1696 wrote to memory of 728	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 1696 wrote to memory of 728	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	svchost.exe
PID 1696 wrote to memory of 3772	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3772	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3772	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 4260	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 4260	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 4260	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1172	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1172	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1172	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3800	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3800	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3800	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1552	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1552	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1552	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1868	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1868	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1868	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3980	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3980	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 3980	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1448	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1448	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	msedge.exe
PID 1696 wrote to memory of 1664	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 1696 wrote to memory of 1664	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 1696 wrote to memory of 1664	1696	ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 1664 wrote to memory of 4476	1664	tim.exe	tim.exe
PID 4476 wrote to memory of 1252	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1252	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1252	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1084	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1084	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1084	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 3564	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 3564	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 3564	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4872	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4872	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4872	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1224	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1224	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 1224	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4528	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4528	4476	tim.exe	msedge.exe
PID 4476 wrote to memory of 4528	4476	tim.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:728

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:752

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1800

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4552

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3328

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:2160

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:1664

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
17⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
18⤵
PID:1952

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4184

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3552

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:932

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4404

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4320

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2696

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1764

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5004

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:4388

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
12⤵
PID:3976

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5132

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
14⤵
PID:5680

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
15⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
16⤵
PID:5160

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4604

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1944

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:1280

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3184

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:920

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1740

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4440

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5460

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
10⤵
PID:5712

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5900

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
7⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
8⤵
PID:5616

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
8⤵
PID:5836

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
9⤵
PID:1240

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Drops file in Windows directory
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4488

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
- Drops file in Windows directory
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3764

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
6⤵
PID:5980

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
4⤵
PID:5252

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
5⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1448

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:3704

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:796

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4020

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4900

C:\Windows\winar\tim.exe
"C:\Windows\winar\tim.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Windows\winar\tim.exe
C:\Windows\winar\tim.exe
10⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
b84c6bacadd226389a422c878def902a

SHA1
c8475cfd4b0ff1199a6b02fb213f4fb11886cb07

SHA256
9755f94de1f241c5ac0b1fa9dee88ef18305563510a1d9adb00b3276fadade0d

SHA512
c6146e0ae39aa8f5e3add6d442632dd8e6a451b86ea37676da58f39cb2a46efde3a124f750a084fb1a80560451c42241eaaefb8e5db0564d78cfc6966eee0632

Download Submit
C:\Windows\winar\tim.exe
Filesize
226KB

MD5
ea95c71d3c8f55d6a51ae43dd9cde9d9

SHA1
25460dbd2c7e996de80285971e787fb83e38d32e

SHA256
1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536

SHA512
789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60

Download Submit
memory/728-29-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/760-78-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/760-89-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/760-91-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/760-93-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/760-80-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/760-81-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/760-87-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/760-77-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/760-75-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/760-94-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/760-92-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/796-63-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-58-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/796-73-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-66-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-71-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/796-70-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-57-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/796-60-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/796-62-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/1412-107-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-103-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-104-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-106-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-109-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-111-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-112-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-116-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1412-114-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1412-117-0x0000000002A80000-0x0000000002B80000-memory.dmp

Filesize
1024KB

Download
memory/1644-124-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1644-127-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1644-125-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1644-140-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1644-128-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1664-35-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/1664-37-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1664-48-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1664-45-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1664-47-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1664-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1664-49-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1664-43-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1664-41-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1664-38-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1696-32-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1696-16-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1696-22-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1696-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1696-20-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2032-96-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2368-232-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3580-184-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3672-255-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3848-118-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4000-67-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4000-120-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4000-95-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4000-69-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4124-283-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4388-163-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4476-50-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4476-55-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4476-44-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4476-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4552-209-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4832-6-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4832-12-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4832-17-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4832-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4832-3-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4832-15-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4832-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4832-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4832-1-0x0000000002B20000-0x0000000002B25000-memory.dmp

Filesize
20KB

Download
memory/4832-21-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/4832-7-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4832-9-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/4832-18-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/4832-8-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4832-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4832-14-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download