xtremerat | 3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Size

242KB
MD5

ed931c81cd2ee363652b63ff6aebb6f0
SHA1

dc7756f0987d4b6f09dbd4b52fab4de03b7b880f
SHA256

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95
SHA512

3f400615c122ddb7826571bb5864f72841a07f86cf7274f55b115585b1ea35fb442cbaca2f676ff7d05a66d9d20fee9649b0eebf0e5db7f017779e8a37be765c
SSDEEP

6144:bZqwyNZcdrNHFCAZwd4TyQOI5JgpcvqNplcdaY5vK:bZqwykxFCAVT0Iw5pZyK

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1740-52-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1740-53-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1740-56-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1740-58-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1740-72-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3016-117-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3144-165-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3240-291-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3500-342-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4720-559-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1016-634-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exejava.exejava.exejava.exe3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}\StubPath = "C:\\Windows\\java\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{OXMNJQW6-G1EB-C08W-H26G-227E0PU8220C}	java.exe

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

java.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	java.exe

Drops startup file 2 IoCs

Processes:

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdater.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdater.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe

Executes dropped EXE 54 IoCs

Processes:

java.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

pid	process
1560	java.exe
3016	java.exe
3140	java.exe
3144	java.exe
2384	java.exe
3824	java.exe
4468	java.exe
3240	java.exe
3972	java.exe
3500	java.exe
2076	java.exe
2288	java.exe
4928	java.exe
1608	java.exe
396	java.exe
1500	java.exe
4024	java.exe
2464	java.exe
552	java.exe
4720	java.exe
636	java.exe
4300	java.exe
3588	java.exe
1016	java.exe
4764	java.exe
4928	java.exe
4340	java.exe
3892	java.exe
1940	java.exe
220	java.exe
3472	java.exe
3892	java.exe
2192	java.exe
4056	java.exe
1152	java.exe
3448	java.exe
3472	java.exe
2656	java.exe
4256	java.exe
1668	java.exe
4160	java.exe
232	java.exe
3824	java.exe
2872	java.exe
3004	java.exe
5272	java.exe
5436	java.exe
5604	java.exe
5756	java.exe
5816	java.exe
5972	java.exe
6108	java.exe
5464	java.exe
5556	java.exe

Adds Run key to start application 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\java\\java.exe"	java.exe

Suspicious use of SetThreadContext 28 IoCs

Processes:

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exejava.exe

description	pid	process	target process
PID 4320 set thread context of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 1560 set thread context of 3016	1560	java.exe	java.exe
PID 3140 set thread context of 3144	3140	java.exe	java.exe
PID 2384 set thread context of 3824	2384	java.exe	java.exe
PID 4468 set thread context of 3240	4468	java.exe	java.exe
PID 3972 set thread context of 3500	3972	java.exe	java.exe
PID 2076 set thread context of 2288	2076	java.exe	java.exe
PID 4928 set thread context of 1608	4928	java.exe	java.exe
PID 396 set thread context of 1500	396	java.exe	java.exe
PID 4024 set thread context of 2464	4024	java.exe	java.exe
PID 552 set thread context of 4720	552	java.exe	java.exe
PID 636 set thread context of 4300	636	java.exe	java.exe
PID 3588 set thread context of 1016	3588	java.exe	java.exe
PID 4764 set thread context of 4928	4764	java.exe	java.exe
PID 4340 set thread context of 3892	4340	java.exe	java.exe
PID 1940 set thread context of 220	1940	java.exe	java.exe
PID 3472 set thread context of 3892	3472	java.exe	java.exe
PID 2192 set thread context of 4056	2192	java.exe	java.exe
PID 1152 set thread context of 3448	1152	java.exe	java.exe
PID 3472 set thread context of 2656	3472	java.exe	java.exe
PID 4256 set thread context of 1668	4256	java.exe	java.exe
PID 4160 set thread context of 232	4160	java.exe	java.exe
PID 3824 set thread context of 2872	3824	java.exe	java.exe
PID 3004 set thread context of 5272	3004	java.exe	java.exe
PID 5436 set thread context of 5604	5436	java.exe	java.exe
PID 5756 set thread context of 5816	5756	java.exe	java.exe
PID 5972 set thread context of 6108	5972	java.exe	java.exe
PID 5464 set thread context of 5556	5464	java.exe	java.exe

Drops file in Windows directory 2 IoCs

Processes:

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe

description	ioc	process
File opened for modification	C:\Windows\java\java.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
File created	C:\Windows\java\java.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	java.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
1560	java.exe
3140	java.exe
2384	java.exe
4468	java.exe
3972	java.exe
2076	java.exe
4928	java.exe
396	java.exe
4024	java.exe
552	java.exe
636	java.exe
3588	java.exe
4764	java.exe
4340	java.exe
1940	java.exe
3472	java.exe
2192	java.exe
1152	java.exe
3472	java.exe
4256	java.exe
4160	java.exe
3824	java.exe
3004	java.exe
5436	java.exe
5756	java.exe
5972	java.exe
5464	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exejava.exejava.exe

description	pid	process	target process
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 4320 wrote to memory of 1740	4320	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
PID 1740 wrote to memory of 1476	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 1476	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3096	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	explorer.exe
PID 1740 wrote to memory of 3096	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	explorer.exe
PID 1740 wrote to memory of 3096	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	explorer.exe
PID 1740 wrote to memory of 1476	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3580	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3580	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3580	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 2748	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 2748	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 2748	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 4500	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 4500	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 4500	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 1524	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 1524	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 1524	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3128	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3128	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3128	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3804	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3804	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3804	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3304	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 3304	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	msedge.exe
PID 1740 wrote to memory of 1560	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	java.exe
PID 1740 wrote to memory of 1560	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	java.exe
PID 1740 wrote to memory of 1560	1740	3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 1560 wrote to memory of 3016	1560	java.exe	java.exe
PID 3016 wrote to memory of 5016	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 5016	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 5016	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4200	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4200	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4200	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4296	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4296	3016	java.exe	msedge.exe
PID 3016 wrote to memory of 4296	3016	java.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
"C:\Users\Admin\AppData\Local\Temp\3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
C:\Users\Admin\AppData\Local\Temp\3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95.exe
2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1476

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3304

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\java\java.exe
C:\Windows\java\java.exe
4⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
PID:2240

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\java\java.exe
C:\Windows\java\java.exe
6⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
7⤵
PID:2308

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\java\java.exe
C:\Windows\java\java.exe
8⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
9⤵
PID:1184

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\java\java.exe
C:\Windows\java\java.exe
10⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
11⤵
PID:4956

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\java\java.exe
C:\Windows\java\java.exe
12⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
13⤵
PID:4320

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\java\java.exe
C:\Windows\java\java.exe
14⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
15⤵
PID:4496

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\java\java.exe
C:\Windows\java\java.exe
16⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
17⤵
PID:4484

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\java\java.exe
C:\Windows\java\java.exe
18⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
19⤵
PID:2244

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\java\java.exe
C:\Windows\java\java.exe
20⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
21⤵
PID:3712

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:552

C:\Windows\java\java.exe
C:\Windows\java\java.exe
22⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
23⤵
PID:3608

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:636

C:\Windows\java\java.exe
C:\Windows\java\java.exe
24⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
25⤵
PID:3176

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\java\java.exe
C:\Windows\java\java.exe
26⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
27⤵
PID:3348

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\java\java.exe
C:\Windows\java\java.exe
28⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
29⤵
PID:2292

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\java\java.exe
C:\Windows\java\java.exe
30⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
31⤵
PID:4504

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\java\java.exe
C:\Windows\java\java.exe
32⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
33⤵
PID:368

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\java\java.exe
C:\Windows\java\java.exe
34⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
35⤵
PID:3692

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\java\java.exe
C:\Windows\java\java.exe
36⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
37⤵
PID:844

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\java\java.exe
C:\Windows\java\java.exe
38⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39⤵
PID:4492

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\java\java.exe
C:\Windows\java\java.exe
40⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
41⤵
PID:5056

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\java\java.exe
C:\Windows\java\java.exe
42⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
43⤵
PID:2176

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\java\java.exe
C:\Windows\java\java.exe
44⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
45⤵
PID:4764

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\java\java.exe
C:\Windows\java\java.exe
46⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
47⤵
PID:4468

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\java\java.exe
C:\Windows\java\java.exe
48⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
49⤵
PID:5412

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\java\java.exe
C:\Windows\java\java.exe
50⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
51⤵
PID:5732

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Windows\java\java.exe
C:\Windows\java\java.exe
52⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
53⤵
PID:5948

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5972

C:\Windows\java\java.exe
C:\Windows\java\java.exe
54⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
55⤵
PID:5428

C:\Windows\java\java.exe
"C:\Windows\java\java.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5464

C:\Windows\java\java.exe
C:\Windows\java\java.exe
56⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
57⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
57⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
57⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
57⤵
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg
Filesize
1KB

MD5
2eb7f132efb9924b7174eb5458df74f5

SHA1
bde3f2f5eedc30401138575a67a74c0c7fd0163c

SHA256
d867c821917aabe27e2f116e7460b65b5404e7a671bce56f75f2f54dd9561a82

SHA512
0fb542eadc164b1c6f11d826d065d86bccb69171db3322084c5bd4803e24697edba0f477d027054284e0110d5ee684d51f1b0e4c95dcfd5b35cefcb5bdedbca9

Download Submit
C:\Windows\java\java.exe
Filesize
242KB

MD5
ed931c81cd2ee363652b63ff6aebb6f0

SHA1
dc7756f0987d4b6f09dbd4b52fab4de03b7b880f

SHA256
3b9c0116a50690bda605988ad95d72221fa7e2b8ecfe0e44fa929c347f1bcd95

SHA512
3f400615c122ddb7826571bb5864f72841a07f86cf7274f55b115585b1ea35fb442cbaca2f676ff7d05a66d9d20fee9649b0eebf0e5db7f017779e8a37be765c

Download Submit
memory/396-473-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/552-560-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/636-602-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1016-634-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1560-80-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-74-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-73-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-78-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-76-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-79-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-81-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-82-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-83-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-84-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-119-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1560-85-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1560-86-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1740-53-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1740-56-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1740-58-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1740-52-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1740-72-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1940-754-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2076-396-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2384-213-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3016-117-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3140-166-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3144-165-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3240-291-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3500-342-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3588-637-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3972-341-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4024-518-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4320-24-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-26-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-39-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-40-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-41-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-42-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-43-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-44-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-45-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-46-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-47-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-48-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-49-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-50-0x0000000002110000-0x0000000002113000-memory.dmp

Filesize
12KB

Download
memory/4320-51-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4320-37-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-36-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-35-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-57-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4320-34-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-33-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-32-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-31-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-30-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-29-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-28-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-27-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-38-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-25-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4320-23-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-22-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-21-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-20-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-19-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-18-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-17-0x00000000022E0000-0x00000000022FB000-memory.dmp

Filesize
108KB

Download
memory/4320-15-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-14-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-13-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-12-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-1-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-11-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-10-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-9-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-2-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-8-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-6-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-4-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-7-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4320-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4340-715-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4468-292-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4720-559-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4764-669-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4928-425-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download