ff0a60c487c841636d024e647d266c229c96c7334d085c47d535754fc390b412

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
Size

740KB
MD5

1ff326b327dfb16c932fe4d904f4ccf7
SHA1

a3b7a53df4e9c4125ab6c03c8d1e50204cf0ff9f
SHA256

41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad
SHA512

b717f440a35e4687fbc7b3024d7de8c1f6eb55ad026a798b076572f267d49585d3cbdb572678f64e4512f5f2672813c493d01f78621c9bb57b72ce27db165713
SSDEEP

12288:5sHzOUNUSB/o5LsI1uwajJ5yvv1l27rzUEX5ENgcGCXfkUg9vfopCHm3If3/8xLE:giUmSB/o5d1ubcvMX5UgcXyfop0v8xLE

Score

7^/10

discovery upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 64 IoCs

pid	Process
2712	name.exe
2168	name.exe
1728	name.exe
3836	name.exe
3164	name.exe
1560	name.exe
216	name.exe
3864	name.exe
2072	name.exe
1552	name.exe
2628	name.exe
4488	name.exe
4724	name.exe
4468	name.exe
1804	name.exe
1240	name.exe
3224	name.exe
2552	name.exe
4044	name.exe
2944	name.exe
2976	name.exe
60	name.exe
388	name.exe
3304	name.exe
384	name.exe
2208	name.exe
1604	name.exe
3120	name.exe
4988	name.exe
4776	name.exe
3716	name.exe
4868	name.exe
4088	name.exe
1192	name.exe
4196	name.exe
3968	name.exe
1080	name.exe
2256	name.exe
2000	name.exe
1504	name.exe
1408	name.exe
4036	name.exe
3128	name.exe
1284	name.exe
1020	name.exe
4400	name.exe
4676	name.exe
5028	name.exe
4672	name.exe
2660	name.exe
4052	name.exe
4000	name.exe
4424	name.exe
3260	name.exe
4300	name.exe
4760	name.exe
1224	name.exe
2416	name.exe
3640	name.exe
3356	name.exe
4604	name.exe
3048	name.exe
740	name.exe
408	name.exe

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral24/memory/4884-20-0x0000000000620000-0x00000000007BF000-memory.dmp	autoit_exe
behavioral24/memory/2712-40-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2168-58-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1728-76-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3836-93-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3164-111-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1560-129-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/216-147-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3864-165-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2072-183-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1552-202-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2628-220-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4488-238-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4724-256-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4468-274-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1804-292-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1240-310-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3224-328-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2552-345-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4044-363-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2944-381-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2976-398-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/60-413-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/388-428-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3304-429-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3304-444-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/384-458-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2208-473-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1604-489-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3120-504-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4988-519-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4776-520-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4776-535-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3716-550-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4868-565-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4088-580-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1192-595-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4196-610-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3968-626-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1080-641-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2256-656-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2000-670-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1504-685-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1408-700-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4036-715-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3128-730-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1284-745-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1020-746-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1020-761-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4400-776-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4676-791-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/5028-807-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4672-822-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2660-837-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4052-852-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4000-867-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4424-882-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3260-897-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4300-912-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/4760-927-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/1224-942-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/2416-957-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3640-972-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe
behavioral24/memory/3356-987-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	autoit_exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral24/memory/4884-0-0x0000000000620000-0x00000000007BF000-memory.dmp	upx
behavioral24/files/0x0008000000023d18-17.dat	upx
behavioral24/memory/4884-20-0x0000000000620000-0x00000000007BF000-memory.dmp	upx
behavioral24/memory/2712-18-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2712-40-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2168-58-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1728-76-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3836-93-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3164-111-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1560-129-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/216-147-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3864-165-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1552-184-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2072-183-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1552-202-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2628-220-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4488-238-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4724-256-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4468-274-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1804-292-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1240-310-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3224-328-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2552-345-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4044-363-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2944-381-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2976-398-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/60-413-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/388-428-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3304-429-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3304-444-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/384-458-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2208-473-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1604-474-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1604-489-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3120-504-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4988-519-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4776-520-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4776-535-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3716-550-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4868-565-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4088-580-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1192-595-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4196-610-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3968-611-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3968-626-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1080-641-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2256-656-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2000-670-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1504-685-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1408-700-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4036-715-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/3128-730-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1284-745-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1020-746-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/1020-761-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4400-776-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4676-791-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/5028-792-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/5028-807-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4672-822-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/2660-837-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4052-852-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4000-867-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx
behavioral24/memory/4424-882-0x0000000000AA0000-0x0000000000C3F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
2712	name.exe
2712	name.exe
2168	name.exe
2168	name.exe
1728	name.exe
1728	name.exe
3836	name.exe
3836	name.exe
3164	name.exe
3164	name.exe
1560	name.exe
1560	name.exe
216	name.exe
216	name.exe
3864	name.exe
3864	name.exe
2072	name.exe
2072	name.exe
1552	name.exe
1552	name.exe
2628	name.exe
2628	name.exe
4488	name.exe
4488	name.exe
4724	name.exe
4724	name.exe
4468	name.exe
4468	name.exe
1804	name.exe
1804	name.exe
1240	name.exe
1240	name.exe
3224	name.exe
3224	name.exe
2552	name.exe
2552	name.exe
4044	name.exe
4044	name.exe
2944	name.exe
2944	name.exe
2976	name.exe
2976	name.exe
60	name.exe
60	name.exe
388	name.exe
388	name.exe
3304	name.exe
3304	name.exe
384	name.exe
384	name.exe
2208	name.exe
2208	name.exe
1604	name.exe
1604	name.exe
3120	name.exe
3120	name.exe
4988	name.exe
4988	name.exe
4776	name.exe
4776	name.exe
3716	name.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
2712	name.exe
2712	name.exe
2168	name.exe
2168	name.exe
1728	name.exe
1728	name.exe
3836	name.exe
3836	name.exe
3164	name.exe
3164	name.exe
1560	name.exe
1560	name.exe
216	name.exe
216	name.exe
3864	name.exe
3864	name.exe
2072	name.exe
2072	name.exe
1552	name.exe
1552	name.exe
2628	name.exe
2628	name.exe
4488	name.exe
4488	name.exe
4724	name.exe
4724	name.exe
4468	name.exe
4468	name.exe
1804	name.exe
1804	name.exe
1240	name.exe
1240	name.exe
3224	name.exe
3224	name.exe
2552	name.exe
2552	name.exe
4044	name.exe
4044	name.exe
2944	name.exe
2944	name.exe
2976	name.exe
2976	name.exe
60	name.exe
60	name.exe
388	name.exe
388	name.exe
3304	name.exe
3304	name.exe
384	name.exe
384	name.exe
2208	name.exe
2208	name.exe
1604	name.exe
1604	name.exe
3120	name.exe
3120	name.exe
4988	name.exe
4988	name.exe
4776	name.exe
4776	name.exe
3716	name.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2712	4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe	83
PID 4884 wrote to memory of 2712	4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe	83
PID 4884 wrote to memory of 2712	4884	41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe	83
PID 2712 wrote to memory of 2168	2712	name.exe	84
PID 2712 wrote to memory of 2168	2712	name.exe	84
PID 2712 wrote to memory of 2168	2712	name.exe	84
PID 2168 wrote to memory of 1728	2168	name.exe	85
PID 2168 wrote to memory of 1728	2168	name.exe	85
PID 2168 wrote to memory of 1728	2168	name.exe	85
PID 1728 wrote to memory of 3836	1728	name.exe	86
PID 1728 wrote to memory of 3836	1728	name.exe	86
PID 1728 wrote to memory of 3836	1728	name.exe	86
PID 3836 wrote to memory of 3164	3836	name.exe	87
PID 3836 wrote to memory of 3164	3836	name.exe	87
PID 3836 wrote to memory of 3164	3836	name.exe	87
PID 3164 wrote to memory of 1560	3164	name.exe	88
PID 3164 wrote to memory of 1560	3164	name.exe	88
PID 3164 wrote to memory of 1560	3164	name.exe	88
PID 1560 wrote to memory of 216	1560	name.exe	89
PID 1560 wrote to memory of 216	1560	name.exe	89
PID 1560 wrote to memory of 216	1560	name.exe	89
PID 216 wrote to memory of 3864	216	name.exe	90
PID 216 wrote to memory of 3864	216	name.exe	90
PID 216 wrote to memory of 3864	216	name.exe	90
PID 3864 wrote to memory of 2072	3864	name.exe	91
PID 3864 wrote to memory of 2072	3864	name.exe	91
PID 3864 wrote to memory of 2072	3864	name.exe	91
PID 2072 wrote to memory of 1552	2072	name.exe	92
PID 2072 wrote to memory of 1552	2072	name.exe	92
PID 2072 wrote to memory of 1552	2072	name.exe	92
PID 1552 wrote to memory of 2628	1552	name.exe	93
PID 1552 wrote to memory of 2628	1552	name.exe	93
PID 1552 wrote to memory of 2628	1552	name.exe	93
PID 2628 wrote to memory of 4488	2628	name.exe	94
PID 2628 wrote to memory of 4488	2628	name.exe	94
PID 2628 wrote to memory of 4488	2628	name.exe	94
PID 4488 wrote to memory of 4724	4488	name.exe	95
PID 4488 wrote to memory of 4724	4488	name.exe	95
PID 4488 wrote to memory of 4724	4488	name.exe	95
PID 4724 wrote to memory of 4468	4724	name.exe	96
PID 4724 wrote to memory of 4468	4724	name.exe	96
PID 4724 wrote to memory of 4468	4724	name.exe	96
PID 4468 wrote to memory of 1804	4468	name.exe	99
PID 4468 wrote to memory of 1804	4468	name.exe	99
PID 4468 wrote to memory of 1804	4468	name.exe	99
PID 1804 wrote to memory of 1240	1804	name.exe	103
PID 1804 wrote to memory of 1240	1804	name.exe	103
PID 1804 wrote to memory of 1240	1804	name.exe	103
PID 1240 wrote to memory of 3224	1240	name.exe	104
PID 1240 wrote to memory of 3224	1240	name.exe	104
PID 1240 wrote to memory of 3224	1240	name.exe	104
PID 3224 wrote to memory of 2552	3224	name.exe	105
PID 3224 wrote to memory of 2552	3224	name.exe	105
PID 3224 wrote to memory of 2552	3224	name.exe	105
PID 2552 wrote to memory of 4044	2552	name.exe	108
PID 2552 wrote to memory of 4044	2552	name.exe	108
PID 2552 wrote to memory of 4044	2552	name.exe	108
PID 4044 wrote to memory of 2944	4044	name.exe	109
PID 4044 wrote to memory of 2944	4044	name.exe	109
PID 4044 wrote to memory of 2944	4044	name.exe	109
PID 2944 wrote to memory of 2976	2944	name.exe	114
PID 2944 wrote to memory of 2976	2944	name.exe	114
PID 2944 wrote to memory of 2976	2944	name.exe	114
PID 2976 wrote to memory of 60	2976	name.exe	115

C:\Users\Admin\AppData\Local\Temp\41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe
"C:\Users\Admin\AppData\Local\Temp\41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:60
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:388
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:384
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        35⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        36⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        38⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        45⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        47⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        52⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        53⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        54⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        55⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        56⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        58⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        59⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        60⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        62⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        64⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        70⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        73⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        75⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        77⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        78⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        80⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        82⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        84⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        87⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        91⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        92⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        93⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        96⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        97⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        98⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        99⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        100⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        101⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        102⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        105⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        106⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        107⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        110⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        111⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        113⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        115⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        116⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        119⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        121⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        123⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        126⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        128⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        129⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        132⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        133⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        135⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        137⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\directory\name.exe
        
        "C:\Users\Admin\AppData\Local\directory\name.exe"
        139⤵
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut9376.tmp

Filesize
280KB

MD5
814bdbb55d934abd44a1b24fbee76a59

SHA1
8d21d0a9ccc2a981d1b79d0747ce6601a2434c4a

SHA256
df64f9b017f2ff7022e589c2b647cf1dea2592578c0a12df9a7ac9bdaa9ab61b

SHA512
cb347f747d6e43f09b5fb6b115603c2dc25042f3d35c312a2a1067aefe389293ad2a25c4bb3c87732a6e335d90cad0bff35d3aa512447e914eb114faa4f38711

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9D3B.tmp

Filesize
42KB

MD5
aa12e9dda045149b8c45d1b3a5013ca6

SHA1
efc284dd0fec8a838b64e6a2107a9666d7e957e4

SHA256
02ee4477ba01614867ce82291c956db05ce9095c2b8e7f7d08b6a192223ca308

SHA512
3f9b5a2c92894b8e9026f1344b8a2aae7df2788fb952cbe46398e67fe5045130961f6ded1007cc4f74e5a05ff7dbfc2509f75cdc46636d2aade895c992f7df46

Download Submit
C:\Users\Admin\AppData\Local\Temp\piceworth

Filesize
84KB

MD5
92ad4fb2be786e35dac1ee1027960b33

SHA1
4c394a07d38b9893e7da782ac40726739d3a07f0

SHA256
502fe73ecb7abc9d820c27a5e79629a52157f93b816b0e4e60641086b195df6d

SHA512
24ca02e4d362f4601f6b9c69668739e9bd011789119c008204799418017b5ca43bfeb764b7a18006e2aa40c8ed3c646395529fac63779632828c41ea23b14052

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
740KB

MD5
1ff326b327dfb16c932fe4d904f4ccf7

SHA1
a3b7a53df4e9c4125ab6c03c8d1e50204cf0ff9f

SHA256
41ac704c7b71aa0419cb1344ba49806667f9f72ce0e4750f8353279a3f2e33ad

SHA512
b717f440a35e4687fbc7b3024d7de8c1f6eb55ad026a798b076572f267d49585d3cbdb572678f64e4512f5f2672813c493d01f78621c9bb57b72ce27db165713

Download Submit
memory/60-413-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/216-147-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/384-458-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/388-428-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/740-1029-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1020-761-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1020-746-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1080-641-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1192-595-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1224-942-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1240-310-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1284-745-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1408-700-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1504-685-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1552-184-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1552-202-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1560-129-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1604-489-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1604-474-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1728-76-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/1804-292-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2000-670-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2072-183-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2168-58-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2208-473-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2256-656-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2416-957-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2552-345-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2628-220-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2660-837-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2712-40-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2712-18-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2944-381-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/2976-398-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3048-1015-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3120-504-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3128-730-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3164-111-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3224-328-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3260-897-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3304-444-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3304-429-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3356-987-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3640-972-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3716-550-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3836-93-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3864-165-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3968-611-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3968-626-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4000-867-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4036-715-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4044-363-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4052-852-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4088-580-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4196-610-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4300-912-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4400-776-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4424-882-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4468-274-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4488-238-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4604-1001-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4672-822-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4676-791-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4724-256-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4760-927-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4776-535-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4776-520-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4868-565-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/4884-20-0x0000000000620000-0x00000000007BF000-memory.dmp

Filesize
1.6MB

Download
memory/4884-0-0x0000000000620000-0x00000000007BF000-memory.dmp

Filesize
1.6MB

Download
memory/4884-14-0x00000000016E0000-0x00000000016E4000-memory.dmp

Filesize
16KB

Download
memory/4988-519-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/5028-807-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download
memory/5028-792-0x0000000000AA0000-0x0000000000C3F000-memory.dmp

Filesize
1.6MB

Download