isrstealer | 5067be80b05a552ddd9ca03d22b822855ffa56a7a28f0ba32d0ced57e9e12810

Analysis

max time kernel
72s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinJect.exe
Size

540KB
MD5

6abce2783394bf829a97599d04a8def3
SHA1

2a7864232650cf6528c903ec505e4fc1cc59517c
SHA256

29ab5fe35a0f48c4683adf37e978abbfff23c0b2f8b416d58b18690ebf41a66a
SHA512

8c07c4b105296747f6224f161b00250e5fa54c4f7b2ad33313b91f4116917064f4acc315f664688346d0272bc77953c338fe40d4ed6e0fd5e5ad507f12cdf7b4
SSDEEP

6144:dHEUWvcNBG1R741QrIJvnjqHByUkz/urMkHug25ijoBFQi7f0u1WeJiXpH4raGpt:pFG1d4gIJLqcU9OgiioSOLKR4rFMgn

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/4840-35-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4840-33-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/5116-72-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/4840-71-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3680-98-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3232-123-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WinJect.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Winject.exe

Executes dropped EXE 64 IoCs

pid	Process
5012	0718i2vupW.exe
760	0718i2vupW.exe
4840	0718i2vupW.exe
2344	0718i2vupW.exe
3800	0718i2vupW.exe
5116	0718i2vupW.exe
3656	0718i2vupW.exe
1096	0718i2vupW.exe
3680	0718i2vupW.exe
2076	0718i2vupW.exe
4620	0718i2vupW.exe
3232	0718i2vupW.exe
3696	0718i2vupW.exe
3880	0718i2vupW.exe
2004	0718i2vupW.exe
4084	0718i2vupW.exe
3404	0718i2vupW.exe
4936	0718i2vupW.exe
4448	0718i2vupW.exe
4300	0718i2vupW.exe
112	0718i2vupW.exe
1180	0718i2vupW.exe
1952	0718i2vupW.exe
2436	0718i2vupW.exe
1852	0718i2vupW.exe
3976	0718i2vupW.exe
1084	0718i2vupW.exe
3280	0718i2vupW.exe
4812	0718i2vupW.exe
1164	0718i2vupW.exe
3528	0718i2vupW.exe
740	0718i2vupW.exe
3956	0718i2vupW.exe
880	0718i2vupW.exe
3568	0718i2vupW.exe
2476	0718i2vupW.exe
4264	0718i2vupW.exe
2492	0718i2vupW.exe
2880	0718i2vupW.exe
1448	0718i2vupW.exe
4716	0718i2vupW.exe
4868	0718i2vupW.exe
4600	0718i2vupW.exe
1988	0718i2vupW.exe
5052	0718i2vupW.exe
4028	0718i2vupW.exe
1676	0718i2vupW.exe
2604	0718i2vupW.exe
2520	0718i2vupW.exe
2040	0718i2vupW.exe
1328	0718i2vupW.exe
2836	0718i2vupW.exe
1368	0718i2vupW.exe
2268	0718i2vupW.exe
4924	0718i2vupW.exe
4920	0718i2vupW.exe
4324	0718i2vupW.exe
216	0718i2vupW.exe
2892	0718i2vupW.exe
4856	0718i2vupW.exe
3388	0718i2vupW.exe
880	0718i2vupW.exe
2096	0718i2vupW.exe
2200	0718i2vupW.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Writes to the Master Boot Record (MBR) 1 TTPs 45 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	WinJect.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 4884	1820	WinJect.exe	83
PID 2752 set thread context of 1060	2752	Winject.exe	86
PID 5012 set thread context of 760	5012	0718i2vupW.exe	87
PID 760 set thread context of 4840	760	0718i2vupW.exe	88
PID 2496 set thread context of 3760	2496	Winject.exe	92
PID 2344 set thread context of 3800	2344	0718i2vupW.exe	93
PID 3800 set thread context of 5116	3800	0718i2vupW.exe	94
PID 3656 set thread context of 1096	3656	0718i2vupW.exe	97
PID 2052 set thread context of 3684	2052	Winject.exe	98
PID 1096 set thread context of 3680	1096	0718i2vupW.exe	99
PID 4236 set thread context of 2280	4236	Winject.exe	103
PID 2076 set thread context of 4620	2076	0718i2vupW.exe	102
PID 4620 set thread context of 3232	4620	0718i2vupW.exe	104
PID 5096 set thread context of 4576	5096	Winject.exe	107
PID 3696 set thread context of 3880	3696	0718i2vupW.exe	108
PID 3880 set thread context of 2004	3880	0718i2vupW.exe	109
PID 4700 set thread context of 2384	4700	Winject.exe	112
PID 4084 set thread context of 3404	4084	0718i2vupW.exe	113
PID 3404 set thread context of 4936	3404	0718i2vupW.exe	114
PID 4448 set thread context of 4300	4448	0718i2vupW.exe	117
PID 4484 set thread context of 920	4484	Winject.exe	118
PID 4300 set thread context of 112	4300	0718i2vupW.exe	119
PID 4848 set thread context of 5064	4848	Winject.exe	124
PID 1180 set thread context of 1952	1180	0718i2vupW.exe	125
PID 1952 set thread context of 2436	1952	0718i2vupW.exe	126
PID 3812 set thread context of 4760	3812	Winject.exe	132
PID 1852 set thread context of 3976	1852	0718i2vupW.exe	133
PID 3976 set thread context of 1084	3976	0718i2vupW.exe	134
PID 4320 set thread context of 1720	4320	Winject.exe	138
PID 3280 set thread context of 4812	3280	0718i2vupW.exe	139
PID 4812 set thread context of 1164	4812	0718i2vupW.exe	140
PID 3528 set thread context of 740	3528	0718i2vupW.exe	145
PID 3576 set thread context of 4344	3576	Winject.exe	146
PID 740 set thread context of 3956	740	0718i2vupW.exe	147
PID 5008 set thread context of 320	5008	Winject.exe	151
PID 880 set thread context of 3568	880	0718i2vupW.exe	152
PID 3568 set thread context of 2476	3568	0718i2vupW.exe	153
PID 1564 set thread context of 3968	1564	Winject.exe	157
PID 4264 set thread context of 2492	4264	0718i2vupW.exe	156
PID 2492 set thread context of 2880	2492	0718i2vupW.exe	158
PID 2372 set thread context of 2692	2372	Winject.exe	161
PID 1448 set thread context of 4716	1448	0718i2vupW.exe	162
PID 4716 set thread context of 4868	4716	0718i2vupW.exe	163
PID 4000 set thread context of 392	4000	Winject.exe	167
PID 4600 set thread context of 1988	4600	0718i2vupW.exe	166
PID 1988 set thread context of 5052	1988	0718i2vupW.exe	168
PID 4028 set thread context of 1676	4028	0718i2vupW.exe	172
PID 1076 set thread context of 2832	1076	Winject.exe	171
PID 1676 set thread context of 2604	1676	0718i2vupW.exe	173
PID 2520 set thread context of 2040	2520	0718i2vupW.exe	176
PID 2052 set thread context of 2688	2052	Winject.exe	177
PID 2040 set thread context of 1328	2040	0718i2vupW.exe	178
PID 1192 set thread context of 364	1192	Winject.exe	181
PID 2836 set thread context of 1368	2836	0718i2vupW.exe	182
PID 1368 set thread context of 2268	1368	0718i2vupW.exe	183
PID 4504 set thread context of 1376	4504	Winject.exe	186
PID 4924 set thread context of 4920	4924	0718i2vupW.exe	187
PID 4920 set thread context of 4324	4920	0718i2vupW.exe	188
PID 2936 set thread context of 4072	2936	Winject.exe	191
PID 216 set thread context of 2892	216	0718i2vupW.exe	192
PID 2892 set thread context of 4856	2892	0718i2vupW.exe	193
PID 1740 set thread context of 5040	1740	Winject.exe	196
PID 3388 set thread context of 880	3388	0718i2vupW.exe	197
PID 880 set thread context of 2096	880	0718i2vupW.exe	198

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
4840	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
5116	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3680	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
3232	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
2004	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
4936	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
112	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe
2436	0718i2vupW.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1820	WinJect.exe
4884	WinJect.exe
2752	Winject.exe
5012	0718i2vupW.exe
1060	Winject.exe
760	0718i2vupW.exe
4840	0718i2vupW.exe
2496	Winject.exe
2344	0718i2vupW.exe
3760	Winject.exe
3800	0718i2vupW.exe
5116	0718i2vupW.exe
2052	Winject.exe
3656	0718i2vupW.exe
1096	0718i2vupW.exe
3684	Winject.exe
3680	0718i2vupW.exe
2076	0718i2vupW.exe
4236	Winject.exe
4620	0718i2vupW.exe
2280	Winject.exe
3232	0718i2vupW.exe
5096	Winject.exe
3696	0718i2vupW.exe
4576	Winject.exe
3880	0718i2vupW.exe
2004	0718i2vupW.exe
4700	Winject.exe
4084	0718i2vupW.exe
2384	Winject.exe
3404	0718i2vupW.exe
4936	0718i2vupW.exe
4448	0718i2vupW.exe
4484	Winject.exe
920	Winject.exe
4300	0718i2vupW.exe
112	0718i2vupW.exe
4848	Winject.exe
1180	0718i2vupW.exe
5064	Winject.exe
1952	0718i2vupW.exe
2436	0718i2vupW.exe
3812	Winject.exe
1852	0718i2vupW.exe
4760	Winject.exe
3976	0718i2vupW.exe
1084	0718i2vupW.exe
4320	Winject.exe
3280	0718i2vupW.exe
1720	Winject.exe
4812	0718i2vupW.exe
1164	0718i2vupW.exe
3576	Winject.exe
3528	0718i2vupW.exe
740	0718i2vupW.exe
4344	Winject.exe
3956	0718i2vupW.exe
5008	Winject.exe
880	0718i2vupW.exe
320	Winject.exe
3568	0718i2vupW.exe
2476	0718i2vupW.exe
1564	Winject.exe
4264	0718i2vupW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 1820 wrote to memory of 4884	1820	WinJect.exe	83
PID 4884 wrote to memory of 2752	4884	WinJect.exe	84
PID 4884 wrote to memory of 2752	4884	WinJect.exe	84
PID 4884 wrote to memory of 2752	4884	WinJect.exe	84
PID 4884 wrote to memory of 5012	4884	WinJect.exe	85
PID 4884 wrote to memory of 5012	4884	WinJect.exe	85
PID 4884 wrote to memory of 5012	4884	WinJect.exe	85
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 2752 wrote to memory of 1060	2752	Winject.exe	86
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 5012 wrote to memory of 760	5012	0718i2vupW.exe	87
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 760 wrote to memory of 4840	760	0718i2vupW.exe	88
PID 1060 wrote to memory of 2496	1060	Winject.exe	89
PID 1060 wrote to memory of 2496	1060	Winject.exe	89
PID 1060 wrote to memory of 2496	1060	Winject.exe	89
PID 1060 wrote to memory of 2344	1060	Winject.exe	90
PID 1060 wrote to memory of 2344	1060	Winject.exe	90
PID 1060 wrote to memory of 2344	1060	Winject.exe	90
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2496 wrote to memory of 3760	2496	Winject.exe	92
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 2344 wrote to memory of 3800	2344	0718i2vupW.exe	93
PID 3800 wrote to memory of 5116	3800	0718i2vupW.exe	94
PID 3800 wrote to memory of 5116	3800	0718i2vupW.exe	94
PID 3800 wrote to memory of 5116	3800	0718i2vupW.exe	94
PID 3800 wrote to memory of 5116	3800	0718i2vupW.exe	94

C:\Users\Admin\AppData\Local\Temp\WinJect.exe
"C:\Users\Admin\AppData\Local\Temp\WinJect.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\WinJect.exe
  "C:\Users\Admin\AppData\Local\Temp\WinJect.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\Winject.exe
    "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\Winject.exe
      "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
      4⤵
      Checks computer location settings
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        6⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        8⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        10⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        12⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        14⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        16⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        18⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        20⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        22⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        24⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        26⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        28⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        29⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        30⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        31⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        32⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        33⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        34⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        35⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        36⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        37⤵
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        38⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        39⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        40⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        41⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        42⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        43⤵
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        44⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        46⤵
        Checks computer location settings
        Writes to the Master Boot Record (MBR)
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        48⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        49⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        50⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        51⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        52⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        53⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        54⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        55⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        56⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        57⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        58⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        59⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        60⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        61⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        62⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        63⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        64⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        65⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        66⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        67⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        68⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        69⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        70⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        71⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        72⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        73⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        74⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        75⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        76⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        77⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        78⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        79⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        80⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        81⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        82⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        83⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        84⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        85⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        86⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        87⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        88⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        89⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        90⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        91⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        92⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        93⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        94⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        95⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        96⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        97⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        98⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        99⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        100⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        101⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        101⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        99⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        100⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        101⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        97⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        98⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        99⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        95⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        96⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        97⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        93⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        94⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        95⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        91⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        92⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        93⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        89⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        90⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        91⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        87⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        88⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        89⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        85⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        86⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        87⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        83⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        84⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        85⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        81⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        82⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        83⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        79⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        80⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        81⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        77⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        78⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        79⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        75⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        76⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        77⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        73⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        74⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        75⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        71⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        72⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        73⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        69⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        70⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        71⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        67⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        68⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        69⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        65⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        66⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        67⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        63⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        64⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        65⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        61⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        62⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        63⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        59⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        60⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        61⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        57⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        58⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        59⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        55⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        56⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        57⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        53⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        54⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        55⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        51⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        52⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        53⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        49⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        50⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        51⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        48⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        49⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        46⤵
        Writes to the Master Boot Record (MBR)
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        43⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        41⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        35⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        33⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        29⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        10⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        8⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5116
- - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
    "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
      "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
228KB

MD5
4bde2fa501b271311668b79e08c3977e

SHA1
60517822d48cf2b560c2d4681c4e5685e29f9632

SHA256
73903815bf438131d3dee70fb8f7f757f1ae57deb7fddd802685fd14d95c33dd

SHA512
4a39144ed55e44228882b1d30e1d4b6ddc76cbc8037089fdd0e058ad79364a66d13d311827bf181907d3e29b84b6443349624e2d505d1c4d64cea2e48cd684c3

Download Submit
memory/760-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/760-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/760-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1060-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1096-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2280-118-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3232-123-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3680-98-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3684-95-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3760-69-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3800-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3880-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4620-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4840-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4840-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4840-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4884-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4884-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4884-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5116-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download