08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 04:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
Size

10.4MB
MD5

0fb2917f566ca15c740febd6568ef2bb
SHA1

951564b4db5a0b67dff7d5c79b9b151ff9047767
SHA256

08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65
SHA512

4242e9af130461a01d54294fbda9981bf1a055525e8a6d14884b909ac7b507c68fbca63a4ab0250c300f1a3b697c94e7dcc21d4c938a9986073fe151729ed965
SSDEEP

196608:XZGmuIsR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnIsREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
968	tjxssituak.exe
3260	tjxssituak.exe
4092	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
916	qtkwjspaww.exe
3204	qtkwjspaww.exe
1368	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
2276	thbvttmkqw.exe
4900	thbvttmkqw.exe
3380	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
2552	udxcerjmzj.exe
3700	udxcerjmzj.exe
4600	sigqhisyzz.exe
2972	sigqhisyzz.exe
4816	flywvphakn.exe
2332	flywvphakn.exe
2812	scoajlhpxz.exe
2628	scoajlhpxz.exe
832	iziqgfbaoo.exe
5024	iziqgfbaoo.exe
2672	mymmzkynab.exe
3232	mymmzkynab.exe
2692	coiacyhghi.exe
3496	coiacyhghi.exe
3660	ultwpurzyl.exe
2888	ultwpurzyl.exe
876	uhskxmskxy.exe
3536	uhskxmskxy.exe
3692	zgwoqsywjl.exe
4664	zgwoqsywjl.exe
2696	mxmrdoymox.exe
4284	mxmrdoymox.exe
3952	zdqioyrhop.exe
5048	zdqioyrhop.exe
3532	jvqodltpan.exe
2208	jvqodltpan.exe
1660	oxkfnfnmrl.exe
316	oxkfnfnmrl.exe
1412	ogrokxhvwb.exe
764	ogrokxhvwb.exe
856	jbhhbkdsnt.exe
220	jbhhbkdsnt.exe
3748	wzceovberv.exe
4432	wzceovberv.exe
4956	jmefltnjil.exe
3204	jmefltnjil.exe
3528	grmovcimgc.exe
4544	grmovcimgc.exe
216	zdlrctvlqu.exe
2528	zdlrctvlqu.exe
5068	jvynhbogzm.exe
448	jvynhbogzm.exe
3700	mnrvwezwdq.exe
4092	mnrvwezwdq.exe
4884	tybeksuitv.exe
3688	tybeksuitv.exe
3336	lkahjjihln.exe
1324	lkahjjihln.exe
4988	tsycvbwzof.exe
2276	tsycvbwzof.exe
3704	onxjgwxohd.exe
4608	onxjgwxohd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
1728	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
968	tjxssituak.exe
3260	tjxssituak.exe
4092	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
916	qtkwjspaww.exe
3204	qtkwjspaww.exe
1368	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
2276	thbvttmkqw.exe
4900	thbvttmkqw.exe
3380	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
2552	udxcerjmzj.exe
3700	udxcerjmzj.exe
4600	sigqhisyzz.exe
2972	sigqhisyzz.exe
4816	flywvphakn.exe
2332	flywvphakn.exe
2812	scoajlhpxz.exe
2628	scoajlhpxz.exe
832	iziqgfbaoo.exe
5024	iziqgfbaoo.exe
2672	mymmzkynab.exe
3232	mymmzkynab.exe
2692	coiacyhghi.exe
3496	coiacyhghi.exe
3660	ultwpurzyl.exe
2888	ultwpurzyl.exe
876	uhskxmskxy.exe
3536	uhskxmskxy.exe
3692	zgwoqsywjl.exe
4664	zgwoqsywjl.exe
2696	mxmrdoymox.exe
4284	mxmrdoymox.exe
3952	zdqioyrhop.exe
5048	zdqioyrhop.exe
3532	jvqodltpan.exe
2208	jvqodltpan.exe
1660	oxkfnfnmrl.exe
316	oxkfnfnmrl.exe
1412	ogrokxhvwb.exe
764	ogrokxhvwb.exe
856	jbhhbkdsnt.exe
220	jbhhbkdsnt.exe
3748	wzceovberv.exe
4432	wzceovberv.exe
4956	jmefltnjil.exe
3204	jmefltnjil.exe
3528	grmovcimgc.exe
4544	grmovcimgc.exe
216	zdlrctvlqu.exe
2528	zdlrctvlqu.exe
5068	jvynhbogzm.exe
448	jvynhbogzm.exe
3700	mnrvwezwdq.exe
4092	mnrvwezwdq.exe
4884	tybeksuitv.exe
3688	tybeksuitv.exe
3336	lkahjjihln.exe
1324	lkahjjihln.exe
4988	tsycvbwzof.exe
2276	tsycvbwzof.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thbvttmkqw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flywvphakn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scoajlhpxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxkfnfnmrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmefltnjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsyfkciqwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtkwjspaww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnrvwfcxtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hybjtuttzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rsepyhzudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjxssituak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdwjdtkhtd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fscrfxszgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azouldirjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauhjtmzkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpcgdfxpes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onxjgwxohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppaxvgbxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otrvzsgnob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdlrctvlqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzceovberv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lkahjjihln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssmtpfouvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdwjdtkhtd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmlmdtiefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tybeksuitv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsycvbwzof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grmovcimgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tybeksuitv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlceztuilq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fscrfxszgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxmrdoymox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnrvwezwdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udxcerjmzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ultwpurzyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdqioyrhop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpxssedgks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kzixkpxmjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myioxgwleq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sigqhisyzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiacyhghi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ultwpurzyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kzixkpxmjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktwakaawii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauhjtmzkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogrokxhvwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhskxmskxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxmrdoymox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdqioyrhop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iziqgfbaoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnrvwezwdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxmyocxups.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzceovberv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hybjtuttzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rsepyhzudg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmefltnjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbhhbkdsnt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdlrctvlqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsycvbwzof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktwakaawii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgwoqsywjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlceztuilq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djertkqkex.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
1728	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
1728	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
968	tjxssituak.exe
968	tjxssituak.exe
968	tjxssituak.exe
968	tjxssituak.exe
3260	tjxssituak.exe
3260	tjxssituak.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
4092	qlbvzvpvlw.exe
4092	qlbvzvpvlw.exe
4092	qlbvzvpvlw.exe
4092	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
916	qtkwjspaww.exe
916	qtkwjspaww.exe
968	tjxssituak.exe
968	tjxssituak.exe
916	qtkwjspaww.exe
916	qtkwjspaww.exe
3204	qtkwjspaww.exe
3204	qtkwjspaww.exe
1368	xmlmdtiefq.exe
1368	xmlmdtiefq.exe
4092	qlbvzvpvlw.exe
4092	qlbvzvpvlw.exe
1368	xmlmdtiefq.exe
1368	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
2276	thbvttmkqw.exe
2276	thbvttmkqw.exe
2276	thbvttmkqw.exe
2276	thbvttmkqw.exe
916	qtkwjspaww.exe
916	qtkwjspaww.exe
4900	thbvttmkqw.exe
4900	thbvttmkqw.exe
1368	xmlmdtiefq.exe
1368	xmlmdtiefq.exe
3380	vnrvwfcxtb.exe
3380	vnrvwfcxtb.exe
3380	vnrvwfcxtb.exe
3380	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
2276	thbvttmkqw.exe
2276	thbvttmkqw.exe
2552	udxcerjmzj.exe
2552	udxcerjmzj.exe
2552	udxcerjmzj.exe
2552	udxcerjmzj.exe
3700	udxcerjmzj.exe
3700	udxcerjmzj.exe
3380	vnrvwfcxtb.exe
3380	vnrvwfcxtb.exe
4600	sigqhisyzz.exe
4600	sigqhisyzz.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
1728	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
1728	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
968	tjxssituak.exe
968	tjxssituak.exe
3260	tjxssituak.exe
3260	tjxssituak.exe
4092	qlbvzvpvlw.exe
4092	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
4956	qlbvzvpvlw.exe
916	qtkwjspaww.exe
916	qtkwjspaww.exe
3204	qtkwjspaww.exe
3204	qtkwjspaww.exe
1368	xmlmdtiefq.exe
1368	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
1612	xmlmdtiefq.exe
2276	thbvttmkqw.exe
2276	thbvttmkqw.exe
4900	thbvttmkqw.exe
4900	thbvttmkqw.exe
3380	vnrvwfcxtb.exe
3380	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
4384	vnrvwfcxtb.exe
2552	udxcerjmzj.exe
2552	udxcerjmzj.exe
3700	udxcerjmzj.exe
3700	udxcerjmzj.exe
4600	sigqhisyzz.exe
4600	sigqhisyzz.exe
2972	sigqhisyzz.exe
2972	sigqhisyzz.exe
4816	flywvphakn.exe
4816	flywvphakn.exe
2332	flywvphakn.exe
2332	flywvphakn.exe
2812	scoajlhpxz.exe
2812	scoajlhpxz.exe
2628	scoajlhpxz.exe
2628	scoajlhpxz.exe
832	iziqgfbaoo.exe
832	iziqgfbaoo.exe
5024	iziqgfbaoo.exe
5024	iziqgfbaoo.exe
2672	mymmzkynab.exe
2672	mymmzkynab.exe
3232	mymmzkynab.exe
3232	mymmzkynab.exe
2692	coiacyhghi.exe
2692	coiacyhghi.exe
3496	coiacyhghi.exe
3496	coiacyhghi.exe
3660	ultwpurzyl.exe
3660	ultwpurzyl.exe
2888	ultwpurzyl.exe
2888	ultwpurzyl.exe
876	uhskxmskxy.exe
876	uhskxmskxy.exe
3536	uhskxmskxy.exe
3536	uhskxmskxy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1728	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	82
PID 2928 wrote to memory of 1728	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	82
PID 2928 wrote to memory of 1728	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	82
PID 2928 wrote to memory of 968	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	83
PID 2928 wrote to memory of 968	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	83
PID 2928 wrote to memory of 968	2928	08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe	83
PID 968 wrote to memory of 3260	968	tjxssituak.exe	84
PID 968 wrote to memory of 3260	968	tjxssituak.exe	84
PID 968 wrote to memory of 3260	968	tjxssituak.exe	84
PID 968 wrote to memory of 4092	968	tjxssituak.exe	85
PID 968 wrote to memory of 4092	968	tjxssituak.exe	85
PID 968 wrote to memory of 4092	968	tjxssituak.exe	85
PID 4092 wrote to memory of 4956	4092	qlbvzvpvlw.exe	86
PID 4092 wrote to memory of 4956	4092	qlbvzvpvlw.exe	86
PID 4092 wrote to memory of 4956	4092	qlbvzvpvlw.exe	86
PID 4092 wrote to memory of 916	4092	qlbvzvpvlw.exe	87
PID 4092 wrote to memory of 916	4092	qlbvzvpvlw.exe	87
PID 4092 wrote to memory of 916	4092	qlbvzvpvlw.exe	87
PID 916 wrote to memory of 3204	916	qtkwjspaww.exe	88
PID 916 wrote to memory of 3204	916	qtkwjspaww.exe	88
PID 916 wrote to memory of 3204	916	qtkwjspaww.exe	88
PID 916 wrote to memory of 1368	916	qtkwjspaww.exe	89
PID 916 wrote to memory of 1368	916	qtkwjspaww.exe	89
PID 916 wrote to memory of 1368	916	qtkwjspaww.exe	89
PID 1368 wrote to memory of 1612	1368	xmlmdtiefq.exe	90
PID 1368 wrote to memory of 1612	1368	xmlmdtiefq.exe	90
PID 1368 wrote to memory of 1612	1368	xmlmdtiefq.exe	90
PID 1368 wrote to memory of 2276	1368	xmlmdtiefq.exe	91
PID 1368 wrote to memory of 2276	1368	xmlmdtiefq.exe	91
PID 1368 wrote to memory of 2276	1368	xmlmdtiefq.exe	91
PID 2276 wrote to memory of 4900	2276	thbvttmkqw.exe	92
PID 2276 wrote to memory of 4900	2276	thbvttmkqw.exe	92
PID 2276 wrote to memory of 4900	2276	thbvttmkqw.exe	92
PID 2276 wrote to memory of 3380	2276	thbvttmkqw.exe	93
PID 2276 wrote to memory of 3380	2276	thbvttmkqw.exe	93
PID 2276 wrote to memory of 3380	2276	thbvttmkqw.exe	93
PID 3380 wrote to memory of 4384	3380	vnrvwfcxtb.exe	94
PID 3380 wrote to memory of 4384	3380	vnrvwfcxtb.exe	94
PID 3380 wrote to memory of 4384	3380	vnrvwfcxtb.exe	94
PID 3380 wrote to memory of 2552	3380	vnrvwfcxtb.exe	95
PID 3380 wrote to memory of 2552	3380	vnrvwfcxtb.exe	95
PID 3380 wrote to memory of 2552	3380	vnrvwfcxtb.exe	95
PID 2552 wrote to memory of 3700	2552	udxcerjmzj.exe	96
PID 2552 wrote to memory of 3700	2552	udxcerjmzj.exe	96
PID 2552 wrote to memory of 3700	2552	udxcerjmzj.exe	96
PID 2552 wrote to memory of 4600	2552	udxcerjmzj.exe	97
PID 2552 wrote to memory of 4600	2552	udxcerjmzj.exe	97
PID 2552 wrote to memory of 4600	2552	udxcerjmzj.exe	97
PID 4600 wrote to memory of 2972	4600	sigqhisyzz.exe	98
PID 4600 wrote to memory of 2972	4600	sigqhisyzz.exe	98
PID 4600 wrote to memory of 2972	4600	sigqhisyzz.exe	98
PID 4600 wrote to memory of 4816	4600	sigqhisyzz.exe	99
PID 4600 wrote to memory of 4816	4600	sigqhisyzz.exe	99
PID 4600 wrote to memory of 4816	4600	sigqhisyzz.exe	99
PID 4816 wrote to memory of 2332	4816	flywvphakn.exe	100
PID 4816 wrote to memory of 2332	4816	flywvphakn.exe	100
PID 4816 wrote to memory of 2332	4816	flywvphakn.exe	100
PID 4816 wrote to memory of 2812	4816	flywvphakn.exe	101
PID 4816 wrote to memory of 2812	4816	flywvphakn.exe	101
PID 4816 wrote to memory of 2812	4816	flywvphakn.exe	101
PID 2812 wrote to memory of 2628	2812	scoajlhpxz.exe	102
PID 2812 wrote to memory of 2628	2812	scoajlhpxz.exe	102
PID 2812 wrote to memory of 2628	2812	scoajlhpxz.exe	102
PID 2812 wrote to memory of 832	2812	scoajlhpxz.exe	103

C:\Users\Admin\AppData\Local\Temp\08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
"C:\Users\Admin\AppData\Local\Temp\08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe
  C:\Users\Admin\AppData\Local\Temp\08f080957728a3a1eaea51c0d8fb185d1ad1a6e5665e5d43e6f2b4ce20851d65.exe update tjxssituak.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\tjxssituak.exe
  C:\Users\Admin\AppData\Local\Temp\tjxssituak.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\tjxssituak.exe
    C:\Users\Admin\AppData\Local\Temp\tjxssituak.exe update qlbvzvpvlw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3260
- - C:\Users\Admin\AppData\Local\Temp\qlbvzvpvlw.exe
    C:\Users\Admin\AppData\Local\Temp\qlbvzvpvlw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\qlbvzvpvlw.exe
      C:\Users\Admin\AppData\Local\Temp\qlbvzvpvlw.exe update qtkwjspaww.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\qtkwjspaww.exe
      C:\Users\Admin\AppData\Local\Temp\qtkwjspaww.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\qtkwjspaww.exe
        
        C:\Users\Admin\AppData\Local\Temp\qtkwjspaww.exe update xmlmdtiefq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\xmlmdtiefq.exe
        
        C:\Users\Admin\AppData\Local\Temp\xmlmdtiefq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\xmlmdtiefq.exe
        
        C:\Users\Admin\AppData\Local\Temp\xmlmdtiefq.exe update thbvttmkqw.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\thbvttmkqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\thbvttmkqw.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\thbvttmkqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\thbvttmkqw.exe update vnrvwfcxtb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\vnrvwfcxtb.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnrvwfcxtb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\vnrvwfcxtb.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnrvwfcxtb.exe update udxcerjmzj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\udxcerjmzj.exe
        
        C:\Users\Admin\AppData\Local\Temp\udxcerjmzj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\udxcerjmzj.exe
        
        C:\Users\Admin\AppData\Local\Temp\udxcerjmzj.exe update sigqhisyzz.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\sigqhisyzz.exe
        
        C:\Users\Admin\AppData\Local\Temp\sigqhisyzz.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\sigqhisyzz.exe
        
        C:\Users\Admin\AppData\Local\Temp\sigqhisyzz.exe update flywvphakn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\flywvphakn.exe
        
        C:\Users\Admin\AppData\Local\Temp\flywvphakn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\flywvphakn.exe
        
        C:\Users\Admin\AppData\Local\Temp\flywvphakn.exe update scoajlhpxz.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\scoajlhpxz.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoajlhpxz.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\scoajlhpxz.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoajlhpxz.exe update iziqgfbaoo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\iziqgfbaoo.exe
        
        C:\Users\Admin\AppData\Local\Temp\iziqgfbaoo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\iziqgfbaoo.exe
        
        C:\Users\Admin\AppData\Local\Temp\iziqgfbaoo.exe update mymmzkynab.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\mymmzkynab.exe
        
        C:\Users\Admin\AppData\Local\Temp\mymmzkynab.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\mymmzkynab.exe
        
        C:\Users\Admin\AppData\Local\Temp\mymmzkynab.exe update coiacyhghi.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\coiacyhghi.exe
        
        C:\Users\Admin\AppData\Local\Temp\coiacyhghi.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\coiacyhghi.exe
        
        C:\Users\Admin\AppData\Local\Temp\coiacyhghi.exe update ultwpurzyl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\ultwpurzyl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ultwpurzyl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\ultwpurzyl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ultwpurzyl.exe update uhskxmskxy.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\uhskxmskxy.exe
        
        C:\Users\Admin\AppData\Local\Temp\uhskxmskxy.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\uhskxmskxy.exe
        
        C:\Users\Admin\AppData\Local\Temp\uhskxmskxy.exe update zgwoqsywjl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\zgwoqsywjl.exe
        
        C:\Users\Admin\AppData\Local\Temp\zgwoqsywjl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\zgwoqsywjl.exe
        
        C:\Users\Admin\AppData\Local\Temp\zgwoqsywjl.exe update mxmrdoymox.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\mxmrdoymox.exe
        
        C:\Users\Admin\AppData\Local\Temp\mxmrdoymox.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\mxmrdoymox.exe
        
        C:\Users\Admin\AppData\Local\Temp\mxmrdoymox.exe update zdqioyrhop.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\zdqioyrhop.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdqioyrhop.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\zdqioyrhop.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdqioyrhop.exe update jvqodltpan.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\jvqodltpan.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvqodltpan.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\jvqodltpan.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvqodltpan.exe update oxkfnfnmrl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\oxkfnfnmrl.exe
        
        C:\Users\Admin\AppData\Local\Temp\oxkfnfnmrl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\oxkfnfnmrl.exe
        
        C:\Users\Admin\AppData\Local\Temp\oxkfnfnmrl.exe update ogrokxhvwb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\ogrokxhvwb.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogrokxhvwb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\ogrokxhvwb.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogrokxhvwb.exe update jbhhbkdsnt.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\jbhhbkdsnt.exe
        
        C:\Users\Admin\AppData\Local\Temp\jbhhbkdsnt.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\jbhhbkdsnt.exe
        
        C:\Users\Admin\AppData\Local\Temp\jbhhbkdsnt.exe update wzceovberv.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe update jmefltnjil.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\jmefltnjil.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmefltnjil.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\jmefltnjil.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmefltnjil.exe update grmovcimgc.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\grmovcimgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\grmovcimgc.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\grmovcimgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\grmovcimgc.exe update zdlrctvlqu.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\zdlrctvlqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdlrctvlqu.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\zdlrctvlqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdlrctvlqu.exe update jvynhbogzm.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe update mnrvwezwdq.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\mnrvwezwdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnrvwezwdq.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\mnrvwezwdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnrvwezwdq.exe update tybeksuitv.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tybeksuitv.exe
        
        C:\Users\Admin\AppData\Local\Temp\tybeksuitv.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tybeksuitv.exe
        
        C:\Users\Admin\AppData\Local\Temp\tybeksuitv.exe update lkahjjihln.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\lkahjjihln.exe
        
        C:\Users\Admin\AppData\Local\Temp\lkahjjihln.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\lkahjjihln.exe
        
        C:\Users\Admin\AppData\Local\Temp\lkahjjihln.exe update tsycvbwzof.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tsycvbwzof.exe
        
        C:\Users\Admin\AppData\Local\Temp\tsycvbwzof.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tsycvbwzof.exe
        
        C:\Users\Admin\AppData\Local\Temp\tsycvbwzof.exe update onxjgwxohd.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        33⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe update tlceztuilq.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tlceztuilq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlceztuilq.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tlceztuilq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlceztuilq.exe update lpcgdfxpes.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe update kxmyocxups.exe
        36⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\kxmyocxups.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxmyocxups.exe
        36⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\kxmyocxups.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxmyocxups.exe update fscrfxszgj.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\fscrfxszgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\fscrfxszgj.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\fscrfxszgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\fscrfxszgj.exe update vbydlabola.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\vbydlabola.exe
        
        C:\Users\Admin\AppData\Local\Temp\vbydlabola.exe
        38⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\vbydlabola.exe
        
        C:\Users\Admin\AppData\Local\Temp\vbydlabola.exe update iseqldlvhc.exe
        39⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\iseqldlvhc.exe
        
        C:\Users\Admin\AppData\Local\Temp\iseqldlvhc.exe
        39⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\iseqldlvhc.exe
        
        C:\Users\Admin\AppData\Local\Temp\iseqldlvhc.exe update alqeerimze.exe
        40⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\alqeerimze.exe
        
        C:\Users\Admin\AppData\Local\Temp\alqeerimze.exe
        40⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\alqeerimze.exe
        
        C:\Users\Admin\AppData\Local\Temp\alqeerimze.exe update sppaxvgbxi.exe
        41⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\sppaxvgbxi.exe
        
        C:\Users\Admin\AppData\Local\Temp\sppaxvgbxi.exe
        41⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\sppaxvgbxi.exe
        
        C:\Users\Admin\AppData\Local\Temp\sppaxvgbxi.exe update ffvgfxqrtc.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\ffvgfxqrtc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ffvgfxqrtc.exe
        42⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\ffvgfxqrtc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ffvgfxqrtc.exe update ablzwtlnsc.exe
        43⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\ablzwtlnsc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ablzwtlnsc.exe
        43⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\ablzwtlnsc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ablzwtlnsc.exe update vsyfkciqwg.exe
        44⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\vsyfkciqwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsyfkciqwg.exe
        44⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\vsyfkciqwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsyfkciqwg.exe update ktwakaawii.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\ktwakaawii.exe
        
        C:\Users\Admin\AppData\Local\Temp\ktwakaawii.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\ktwakaawii.exe
        
        C:\Users\Admin\AppData\Local\Temp\ktwakaawii.exe update djertkqkex.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\djertkqkex.exe
        
        C:\Users\Admin\AppData\Local\Temp\djertkqkex.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\djertkqkex.exe
        
        C:\Users\Admin\AppData\Local\Temp\djertkqkex.exe update azouldirjq.exe
        47⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\azouldirjq.exe
        
        C:\Users\Admin\AppData\Local\Temp\azouldirjq.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\azouldirjq.exe
        
        C:\Users\Admin\AppData\Local\Temp\azouldirjq.exe update xpxssedgks.exe
        48⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\xpxssedgks.exe
        
        C:\Users\Admin\AppData\Local\Temp\xpxssedgks.exe
        48⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\xpxssedgks.exe
        
        C:\Users\Admin\AppData\Local\Temp\xpxssedgks.exe update ssmtpfouvy.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\ssmtpfouvy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ssmtpfouvy.exe
        49⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\ssmtpfouvy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ssmtpfouvy.exe update zdwjdtkhtd.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe update kzixkpxmjw.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\kzixkpxmjw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzixkpxmjw.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\kzixkpxmjw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzixkpxmjw.exe update xrnlyymhoj.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\xrnlyymhoj.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrnlyymhoj.exe
        52⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\xrnlyymhoj.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrnlyymhoj.exe update hybjtuttzh.exe
        53⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\hybjtuttzh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hybjtuttzh.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\hybjtuttzh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hybjtuttzh.exe update mauhjtmzkl.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\mauhjtmzkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\mauhjtmzkl.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\mauhjtmzkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\mauhjtmzkl.exe update cudlvjziwn.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\cudlvjziwn.exe
        
        C:\Users\Admin\AppData\Local\Temp\cudlvjziwn.exe
        55⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\cudlvjziwn.exe
        
        C:\Users\Admin\AppData\Local\Temp\cudlvjziwn.exe update mmbezwdygf.exe
        56⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\mmbezwdygf.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmbezwdygf.exe
        56⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\mmbezwdygf.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmbezwdygf.exe update rsepyhzudg.exe
        57⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\rsepyhzudg.exe
        
        C:\Users\Admin\AppData\Local\Temp\rsepyhzudg.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\rsepyhzudg.exe
        
        C:\Users\Admin\AppData\Local\Temp\rsepyhzudg.exe update otrvzsgnob.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\otrvzsgnob.exe
        
        C:\Users\Admin\AppData\Local\Temp\otrvzsgnob.exe
        58⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\otrvzsgnob.exe
        
        C:\Users\Admin\AppData\Local\Temp\otrvzsgnob.exe update myioxgwleq.exe
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\myioxgwleq.exe
        
        C:\Users\Admin\AppData\Local\Temp\myioxgwleq.exe
        59⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\myioxgwleq.exe
        
        C:\Users\Admin\AppData\Local\Temp\myioxgwleq.exe update botrbakwig.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\botrbakwig.exe
        
        C:\Users\Admin\AppData\Local\Temp\botrbakwig.exe
        60⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\botrbakwig.exe
        
        C:\Users\Admin\AppData\Local\Temp\botrbakwig.exe update mnizltfwln.exe
        61⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        61⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe update oylsujsuwd.exe
        62⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\oylsujsuwd.exe
        
        C:\Users\Admin\AppData\Local\Temp\oylsujsuwd.exe
        62⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\oylsujsuwd.exe
        
        C:\Users\Admin\AppData\Local\Temp\oylsujsuwd.exe update baclfqjemk.exe
        63⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\baclfqjemk.exe
        
        C:\Users\Admin\AppData\Local\Temp\baclfqjemk.exe
        63⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\baclfqjemk.exe
        
        C:\Users\Admin\AppData\Local\Temp\baclfqjemk.exe update mekmjbmlfu.exe
        64⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\mekmjbmlfu.exe
        
        C:\Users\Admin\AppData\Local\Temp\mekmjbmlfu.exe
        64⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\mekmjbmlfu.exe
        
        C:\Users\Admin\AppData\Local\Temp\mekmjbmlfu.exe update osqsdvflcx.exe
        65⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\osqsdvflcx.exe
        
        C:\Users\Admin\AppData\Local\Temp\osqsdvflcx.exe
        65⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\osqsdvflcx.exe
        
        C:\Users\Admin\AppData\Local\Temp\osqsdvflcx.exe update gwqgwhdbaa.exe
        66⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\gwqgwhdbaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwqgwhdbaa.exe
        66⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\gwqgwhdbaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwqgwhdbaa.exe update jgahoxqzkq.exe
        67⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\jgahoxqzkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jgahoxqzkq.exe
        67⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\jgahoxqzkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jgahoxqzkq.exe update jobpwigwhx.exe
        68⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\jobpwigwhx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jobpwigwhx.exe
        68⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\jobpwigwhx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jobpwigwhx.exe update wbwqbgrazm.exe
        69⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\wbwqbgrazm.exe
        
        C:\Users\Admin\AppData\Local\Temp\wbwqbgrazm.exe
        69⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\wbwqbgrazm.exe
        
        C:\Users\Admin\AppData\Local\Temp\wbwqbgrazm.exe update qiurwsincr.exe
        70⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\qiurwsincr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiurwsincr.exe
        70⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\qiurwsincr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiurwsincr.exe update dopcvceias.exe
        71⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\dopcvceias.exe
        
        C:\Users\Admin\AppData\Local\Temp\dopcvceias.exe
        71⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\dopcvceias.exe
        
        C:\Users\Admin\AppData\Local\Temp\dopcvceias.exe update tpvfvawwlu.exe
        72⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tpvfvawwlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\tpvfvawwlu.exe
        72⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tpvfvawwlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\tpvfvawwlu.exe update ttjwpzqqbp.exe
        73⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\ttjwpzqqbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ttjwpzqqbp.exe
        73⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\ttjwpzqqbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ttjwpzqqbp.exe update oozphmdvsh.exe
        74⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\oozphmdvsh.exe
        
        C:\Users\Admin\AppData\Local\Temp\oozphmdvsh.exe
        74⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\oozphmdvsh.exe
        
        C:\Users\Admin\AppData\Local\Temp\oozphmdvsh.exe update dlsssgzhwy.exe
        75⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\dlsssgzhwy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlsssgzhwy.exe
        75⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\dlsssgzhwy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlsssgzhwy.exe update yskgzsnktb.exe
        76⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\yskgzsnktb.exe
        
        C:\Users\Admin\AppData\Local\Temp\yskgzsnktb.exe
        76⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\yskgzsnktb.exe
        
        C:\Users\Admin\AppData\Local\Temp\yskgzsnktb.exe update nidrlmbepr.exe
        77⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\nidrlmbepr.exe
        
        C:\Users\Admin\AppData\Local\Temp\nidrlmbepr.exe
        77⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\nidrlmbepr.exe
        
        C:\Users\Admin\AppData\Local\Temp\nidrlmbepr.exe update kjyhgrafgx.exe
        78⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\kjyhgrafgx.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjyhgrafgx.exe
        78⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\kjyhgrafgx.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjyhgrafgx.exe update aojfbrkayb.exe
        79⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\aojfbrkayb.exe
        
        C:\Users\Admin\AppData\Local\Temp\aojfbrkayb.exe
        79⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\aojfbrkayb.exe
        
        C:\Users\Admin\AppData\Local\Temp\aojfbrkayb.exe update iatnpmfmoo.exe
        80⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\iatnpmfmoo.exe
        
        C:\Users\Admin\AppData\Local\Temp\iatnpmfmoo.exe
        80⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\iatnpmfmoo.exe
        
        C:\Users\Admin\AppData\Local\Temp\iatnpmfmoo.exe update vukgatxwew.exe
        81⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\vukgatxwew.exe
        
        C:\Users\Admin\AppData\Local\Temp\vukgatxwew.exe
        81⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\vukgatxwew.exe
        
        C:\Users\Admin\AppData\Local\Temp\vukgatxwew.exe update ymmxpwilia.exe
        82⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\ymmxpwilia.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymmxpwilia.exe
        82⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\ymmxpwilia.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymmxpwilia.exe update cheaupjefb.exe
        83⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\cheaupjefb.exe
        
        C:\Users\Admin\AppData\Local\Temp\cheaupjefb.exe
        83⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\cheaupjefb.exe
        
        C:\Users\Admin\AppData\Local\Temp\cheaupjefb.exe update xzstugvyme.exe
        84⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\xzstugvyme.exe
        
        C:\Users\Admin\AppData\Local\Temp\xzstugvyme.exe
        84⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\xzstugvyme.exe
        
        C:\Users\Admin\AppData\Local\Temp\xzstugvyme.exe update nwdxfsrriv.exe
        85⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\nwdxfsrriv.exe
        
        C:\Users\Admin\AppData\Local\Temp\nwdxfsrriv.exe
        85⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\nwdxfsrriv.exe
        
        C:\Users\Admin\AppData\Local\Temp\nwdxfsrriv.exe update icvkxxbagn.exe
        86⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\icvkxxbagn.exe
        
        C:\Users\Admin\AppData\Local\Temp\icvkxxbagn.exe
        86⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\icvkxxbagn.exe
        
        C:\Users\Admin\AppData\Local\Temp\icvkxxbagn.exe update ikdncauxie.exe
        87⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\ikdncauxie.exe
        
        C:\Users\Admin\AppData\Local\Temp\ikdncauxie.exe
        87⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\ikdncauxie.exe
        
        C:\Users\Admin\AppData\Local\Temp\ikdncauxie.exe update hdpjvpqnay.exe
        88⤵
        
        PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\coiacyhghi.exe

Filesize
10.4MB

MD5
df8c2a1b5d481f84af2f381df16e02f8

SHA1
b5103c60fd0f6f37e113bcbdb947f2c69cbbb48f

SHA256
e5077d606274c37f80d38ed89771f5c12ab73598783e3f927f6c573b8cdb4067

SHA512
75b52c77fcc687601ad40ad6d772a7cc3da922e5315a65b7c6d9a427918fe9257c36e86be32cccee2c551213ba24551b1f4f12feb4762460e19eea9678ba5f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\flywvphakn.exe

Filesize
10.4MB

MD5
d242b15cfc40fbdbfcc2d57664bca533

SHA1
23a5e3093ccf3dad3b1a31c1a7c4f17eda1db168

SHA256
9685bbf9237dd44f60b5b771a6f8af8c34e8b307e1111a9e9950ad87c0ccae3e

SHA512
85116c5f3b179dcf32c5c005c70f5423e29936b2e8b85a2099f21347583fa5bcec08168f82655a7f13660744c94857c8e08e328c1017fbd50b52d76b94894c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iziqgfbaoo.exe

Filesize
10.4MB

MD5
0821e4e221634d698e3b345fa214dd0d

SHA1
66c6944d68dc685885e439532bbbdbaa1081fc0d

SHA256
7d41a6b1dcc78ee7152281d4da3299a6d9e6b28a3cea862d00f686a465765b0d

SHA512
9bdd645e570ebf10c349037f436eb2d91365980aa2fb1c958cce4777baac164828d3a0588cb9f5be7d2b47ab6c5d1ca762ad4932baab70cd019dc09904e8db45

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxmrdoymox.exe

Filesize
10.4MB

MD5
7361bee6de4b1c9839924bd954b61599

SHA1
14c76c33934d9e1d6639040e6432b0671817f7ab

SHA256
511f93877250ea594500073267b7ab1b0e60261f2da9947d15a622cd60f335db

SHA512
9bbf54636ee1c48b673e1dac9a85052fe13787e715b393b68457ef181000d8e6ca445be0586cad19a09d6f3bdf7b9025d27388c0dfe87aba5107403d8e087528

Download Submit
C:\Users\Admin\AppData\Local\Temp\mymmzkynab.exe

Filesize
10.4MB

MD5
4da00ac7aa357e7321daed539116f684

SHA1
02cdf08066fe7087cb6f34a050f4ee4621abc8fd

SHA256
c2fde4eda4b0e509ad0faf2a3e8066003747eda78735ab9e9dc7c4f14502039c

SHA512
f90b9136232abe39c4d6c4cedea6e137b74627bcccfa7622d22135c736b105ad3f9eda78b5311b570c9ef3100b7ba9e158c86dc061ab59c4494de3b279a214a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlbvzvpvlw.exe

Filesize
10.4MB

MD5
5c8783882102847e12d5b1694a6d0a92

SHA1
f534251e6fa230848a0dd6f05eb736c82ec25c41

SHA256
bb48fd8157f3aa5cfb8353f854fe56f59e00deaf0d69a6106b6d69c5ef8d0de2

SHA512
8567e12e4ec7fd8c354cdd9b61ba24a2f484128cd13a9d0b204be50f7db166549fa1af228452caa626388fd84dbfe81b8129fac893d4b9cc1f341b63ae17d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtkwjspaww.exe

Filesize
10.4MB

MD5
3112e93227a1eaf2d4ca42a1501ad7cc

SHA1
b99042a8f2ec799761205fde7c8025a4ab0e4ce8

SHA256
846e9c5a4dc9b27bf7533e4ba7fc5c748aeedf8aa35c94d67e50f9f8c3da35dd

SHA512
c844629b8863ea15457250cdfec7d7da29054523d9c774d5e3c8729d3c8dfeb8055f73da00fa3ff6acd56e13e0a71cbfd55ff28e25e8bcbebc898dc5e86480e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoajlhpxz.exe

Filesize
10.4MB

MD5
f09ba3fda9c168ddb82bbb46daf2576c

SHA1
d8fe173123a559278bc41442c1c870c57f93a021

SHA256
dd4e85d8f93269eca6a1aba69dc08ac88305bdda468eb35ab4925dc053e99906

SHA512
7ce6b04111aa3d21bd68afc53f4a6c972520eb8e8c60e685a4ee7fd30bb1d8f1becc307d1f89f3d20f359160de6c40df0304c41b19c64c63024d7ec087fbc966

Download Submit
C:\Users\Admin\AppData\Local\Temp\sigqhisyzz.exe

Filesize
10.4MB

MD5
f491fe079a56d24eb9e521d9b36d23f1

SHA1
b97937303a4e85351bbeccff2887019f1d7f451e

SHA256
0f5b084a394c50d3f6f396ecd2d599194cc809bf2f49eb63f69c2e21ee57280d

SHA512
58cb3610cde7a851d841d9797ec88efb86153a717ccc37d78ecdda2077be44f7653d0e4c4ba9b3b15d2c01a58fc278c113952d01314cd58a1a63524c8bc31da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\thbvttmkqw.exe

Filesize
10.4MB

MD5
595b94b1f191fd2c2bc3e7cec8dadb25

SHA1
ae7921403d8a9ca14bb4d2e1afa271e4b74b58ce

SHA256
1ef4a7de1bfade78486eb60746515b8fbfb40cba730f9b12b097f3b14b76fbb3

SHA512
6e893dfb07474b0e13ad58388109b5a240d9e0c76bdfd39f60352f37a1f5a3be8a54ea84b3006b28bdd3fef6189e424028d76224f9e3f37f68a1e1e2e3c8395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjxssituak.exe

Filesize
10.4MB

MD5
dfdec7c6b8020eae04a58821360f31f1

SHA1
7038bf590641222823ea58f8b880bc3f6cc7a2a5

SHA256
839861c533b3f7478ea9f5bea94320d305db7333758a86c6bf64ff7e6ea22698

SHA512
bc1c0d1f05876527e25dc134385c12c7cee3ec66bdf0822d7e27d12145c5a0a8690c5d32abdda807f4a05b0a45c3e3d9511a5c0718842892ddf6871646ea6507

Download Submit
C:\Users\Admin\AppData\Local\Temp\udxcerjmzj.exe

Filesize
10.4MB

MD5
399004607c94fd207fdd256b259a9b7c

SHA1
8cab866dc36215d3a262082bb9ee0cf2a3581a0f

SHA256
ecf661ac2948491497e13455a51b9eee3ee0ad7ff059c6a08386d90d0627644b

SHA512
9cece7d98ba9c94283ae47ccb71b43caef3aec5226b519eac5e3cad79461a5b5a953cbf0db8add20cc804cccad48f22450b906d8d7c0de3ce37bffe9bc49a7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhskxmskxy.exe

Filesize
10.4MB

MD5
e222272b01fc7d0b2175feadf58ecc16

SHA1
d4becafc5b4e5f6745b295b9077da236ae8e69a0

SHA256
71ce2f73e334b6e4b2ec4106691976a3480201e03ecf52d782349f250848291c

SHA512
e6500c0e1af08dbf24e1efa791db1aae8bc8fb6bb657ec24c23e9f98a8e80a3db76eec8069ce26889f6be9cbaede9706f423ad768521f0c21065d4b83984f667

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultwpurzyl.exe

Filesize
10.4MB

MD5
1290b8ea21973d3354235f813c8ba425

SHA1
c5eca2ff07b189409bce2cf682ae2aed65ed11a7

SHA256
5e7f07b88bca9e17b45a18e9ae758e1599a1a31ea5d7e9b50ca96256a7042424

SHA512
adeed8eba9f186c9d55fd2dcdb92620a1746a8821e3f1b42fec4c32a4fc75bba131ca0b3b861781548957e11e36b036d169e237d7910f27c97a48d9283ed9048

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
d153164271c0107a51514388476c11e1

SHA1
7d9ce060a6e4a12631e25bea9f38a0cde2328b9a

SHA256
2b20dbf0032b0ea9e4012fd2ffb545abc68542377dd27996f2dee571d4b005db

SHA512
dcab92c99ba890747ae7b8bee63b895c62751b449b275a2909960a2eccb406d25a91cd357291a374ef85ab158af6b0a5b3b117125cbd2692505954f6b95caae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
ba81e22b2fb02b2ab18d5ab4a073f9b4

SHA1
f8129e27bb61adb1dcc5391f54ce8e0b71d073b3

SHA256
a3869f862eb9440520294ea69d15a73b72a4ab8107c716371848bc4daf197595

SHA512
647d53a0df7170d825781cc308c0733c620b5e96e061267e451f4aa482d0118be27a42313640e3f3d5df4170408872f9f7b951d95e73f4e6a1b4d75644d31afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3e4adc3806297c150bc8e24ea4b0a70e

SHA1
9d574de7a14e613f2d9a0e5edbd86e5e3818b8a3

SHA256
22542ed5c35a381bff8322a6bb85372251c1c0b9bc65c52b87f3b872825801cf

SHA512
28ab3946b030a396f324f21c58768ff3830478e895c1d57891937209f27c7b2dd8a8415b15cdf049abbf14044515541418acc71040d3d2f3bca482beb2faace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
58071bed4fc3a15f4eb0d16df5ac62aa

SHA1
09b847ab819b4bfe6b4c0a63cc11ccadff321ac6

SHA256
9b8d2e12df1b7698414c86d9bbec07c921f2aae5ee3eeeba8cc65182553c61b9

SHA512
1560bc2910d0b9210f0ae36ddc92203038a993ce2b509036ad111e2c45d708bd8c299f0ff68aad8f24044ad990a6e48c49963040ec3311272ad45ecbe267b5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
d4d872ba7ef9d793518e0841886acc9b

SHA1
f981fe2795e2f7a4b407ecf707c66f44a63a9a6e

SHA256
cbca1784b27f27be3edd7329fbe05fbf8a83de00e78efc61cf838b4ca0d63fee

SHA512
ea47fc7d6539481e0e4cfa9d2a5143cc3edfd90710d0a0ac79bfee59452cf98291d89ddee05fa2ab2e0770a227d0e2ac20793de3786dda73b599af6378c35de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
8fae16b3b9292270d427244b3c8de75c

SHA1
272d9a529a410c8d27ade0044b2f444c684c977d

SHA256
9b3ea12c5a4900d4b53733c0000f765c5076433913d9cac3bee8b7802efaf4a2

SHA512
38fb9f834c6f429d71c669ceba348903652582b5c95b0be7b0846ff23a40bb200602045e279a06e33f36d1ee3dc2686ce4b4cb0a5bcd0ea8cb534077bd21b220

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
2c5a4995ca2a26f4901c2e1ce4cfb380

SHA1
3600980cb45aa26c27f513b0b419be7681025d34

SHA256
8f6652824f189fd661d2937fba32b83fcad512faf56596a76ca44d62b3c4699e

SHA512
54d3c09fbabe5d1c2ea57d6ef219bc6514560c692605266b30560c7967274f4cd52c70eca5f435a8392be22b7dc46bb83ebca1a1d49cd5db8ff30f2a0ebaa278

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
b684d98a49f639fc3096cddd8e840e39

SHA1
a15ce35b40e2f1db8abb4b38b12525f3f1f786aa

SHA256
a93061368641198791527aa08992cf517031c6cc85a5669381f1613c83be5d9b

SHA512
0f9b68b3ba3f1d01a30b2c2d7a7f3e10a011112e8cc3fede44c94cb0deaa2661e29f37c09931bb5577ced5383f2f062b4a3005c18f4f52551d47bfbcb2a5b176

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
e08333dc85ab00f749305ce6ff148216

SHA1
cc1ff3220e353d5c8419437a36fa6a1654b7b66b

SHA256
893d98d7bda3118a80c1393a06a345b2925b8868329c48e25458f00321946391

SHA512
19e4f01252bd76f2ef7c8df55ed16d689869c1e2111620b4cd42bab4a802d87afc2d809c7f5711123f99c0b4cb8ae10a092f059bdbfe8ff72659885fa1b32a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnrvwfcxtb.exe

Filesize
10.4MB

MD5
ed6c743973cc0cd6b9f455b412774e19

SHA1
a021ece29341e066f2c2527603a0d84801eb0073

SHA256
100697ac38637a87058c1ade17919a94cb59f52e829e42527e04212ce10e6816

SHA512
701b463bd3d9213ec43a933ac41f2841d7cc886f5bcf9bde298801d37a6d426c9589d50a1d436bfc2c4a07ed46ba365a56c5401785b22e5665cd7251f88cef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmlmdtiefq.exe

Filesize
10.4MB

MD5
cdee3b23b11fb2c51eb45ec7f9ebcb9f

SHA1
5f3cfd87420074c98519dd52535613c24a619dd1

SHA256
efe9dd9e10ceb855b0a89ee0dd460b83641e94085bb51a1dcd2ab8d7282f47f0

SHA512
e212588aee643b356e39ce126baaad3ac326cfff2a2198562c9c2a8d5b7b62718ad9678225d936edde691ef734f2405eb092f29b26229be070c5b4807036c2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdqioyrhop.exe

Filesize
10.4MB

MD5
7f47ab49674cb2174b2360fcb343d833

SHA1
14d8197fbc6f8718be039111ba0c87259047ae4d

SHA256
96043e112036e3fa0f3ef106d5c23fd07b2f1296f9ee5c095cf72d9e3bc15f34

SHA512
c8f9615c7c4db3d46c4ad1cd45301298ef935c0010bbd9fbe11b8c4c120e377644a3307a5924a24dd957c3a67bb7e7f1ffa255f27fd0ff4fbd16796f1a7b8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgwoqsywjl.exe

Filesize
10.4MB

MD5
0d6279d37962be73f669dfd60730db5e

SHA1
49561874d0e3bc604ca338d956054d0699dad3de

SHA256
8c1def7e191ff0657e1dc1516ab78ba71ab1fef5adbb25972e55077c43f538ca

SHA512
7a1a69766b70764c9815cbc2bb49886bbf4416f14dfa57960c95c2de8de4ea00e9cf61a7b105ec65fe06cf8639d7ac507f5258e398c8109dd67f8a4ddd3c2845

Download Submit
memory/832-117-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/832-116-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/876-159-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/916-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/968-11-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/968-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/968-12-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/968-73-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1368-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1612-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1728-3-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1728-4-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1728-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1728-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2276-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2332-98-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2552-72-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2628-109-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2672-128-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2692-139-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2812-106-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2888-153-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2928-0-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2928-61-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2928-56-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2928-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2928-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2972-87-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3204-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3232-131-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3260-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3260-15-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/3380-60-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3496-142-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3536-164-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3660-150-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3700-76-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4092-21-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4092-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4384-64-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4600-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4600-81-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4816-93-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4900-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4956-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4956-24-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/5024-120-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download