asyncrat | ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

Analysis

max time kernel
68s
max time network
137s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Sheet.exe
Size

2.6MB
MD5

9bc1a47fdbd32cc92c94a9d1a84597ac
SHA1

63a5eb6563208137d12dd8fa4ede2e2c98e70033
SHA256

ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
SHA512

559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Score

10^/10

asyncrat evasion rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exeAdvancedRun.exe

pid process

3472 AdvancedRun.exe
3356 AdvancedRun.exe
2156 1Ua9ea19ce4Va7ea83fucAac58.exe
4532 AdvancedRun.exe
4780 AdvancedRun.exe

Drops startup file 2 IoCs

Processes:

Order Sheet.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Order Sheet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Order Sheet.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Order Sheet.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Order Sheet.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

Order Sheet.exe

pid	process
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe
3016	Order Sheet.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Sheet.exe

description pid process target process

PID 3016 set thread context of 1460 3016 Order Sheet.exe Order Sheet.exe

description	pid	process	target process
PID 3016 set thread context of 1460	3016	Order Sheet.exe	Order Sheet.exe

Drops file in Windows directory 2 IoCs

Processes:

Order Sheet.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe	Order Sheet.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

644 3016 WerFault.exe Order Sheet.exe
4916 2156 WerFault.exe 1Ua9ea19ce4Va7ea83fucAac58.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

8684 timeout.exe
9772 timeout.exe

pid	pid_target	process	target process
644	3016	WerFault.exe	Order Sheet.exe
4916	2156	WerFault.exe	1Ua9ea19ce4Va7ea83fucAac58.exe

pid	process
8684	timeout.exe
9772	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3472	AdvancedRun.exe
3472	AdvancedRun.exe
3472	AdvancedRun.exe
3472	AdvancedRun.exe
3356	AdvancedRun.exe
3356	AdvancedRun.exe
3356	AdvancedRun.exe
3356	AdvancedRun.exe
3844	powershell.exe
3844	powershell.exe
3532	powershell.exe
3532	powershell.exe
1164	powershell.exe
1164	powershell.exe
3152	powershell.exe
3152	powershell.exe
1504	powershell.exe
1504	powershell.exe
2984	powershell.exe
2984	powershell.exe
3472	powershell.exe
3472	powershell.exe
4532	AdvancedRun.exe
4532	AdvancedRun.exe
4532	AdvancedRun.exe
4532	AdvancedRun.exe
196	powershell.exe
196	powershell.exe
4780	AdvancedRun.exe
4780	AdvancedRun.exe
4780	AdvancedRun.exe
4780	AdvancedRun.exe
3532	powershell.exe
1164	powershell.exe
3152	powershell.exe
1504	powershell.exe
2984	powershell.exe
3844	powershell.exe
196	powershell.exe
3472	powershell.exe
3532	powershell.exe
3152	powershell.exe
1504	powershell.exe
3844	powershell.exe
1164	powershell.exe
3472	powershell.exe
2984	powershell.exe
196	powershell.exe
5040	powershell.exe
5040	powershell.exe
5068	powershell.exe
5068	powershell.exe
5108	powershell.exe
5108	powershell.exe
4124	powershell.exe
4124	powershell.exe
4200	powershell.exe
4200	powershell.exe
4808	powershell.exe
4808	powershell.exe
4828	powershell.exe
4828	powershell.exe
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOrder Sheet.exe

description	pid	process
Token: SeDebugPrivilege	3472	AdvancedRun.exe
Token: SeImpersonatePrivilege	3472	AdvancedRun.exe
Token: SeDebugPrivilege	3356	AdvancedRun.exe
Token: SeImpersonatePrivilege	3356	AdvancedRun.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4532	AdvancedRun.exe
Token: SeImpersonatePrivilege	4532	AdvancedRun.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	4780	AdvancedRun.exe
Token: SeImpersonatePrivilege	4780	AdvancedRun.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	5236	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	5316	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	6292	powershell.exe
Token: SeDebugPrivilege	6364	powershell.exe
Token: SeDebugPrivilege	6424	powershell.exe
Token: SeDebugPrivilege	6588	powershell.exe
Token: SeDebugPrivilege	6648	powershell.exe
Token: SeDebugPrivilege	6684	powershell.exe
Token: SeDebugPrivilege	7028	powershell.exe
Token: SeDebugPrivilege	7072	powershell.exe
Token: SeDebugPrivilege	7112	powershell.exe
Token: SeDebugPrivilege	6860	powershell.exe
Token: SeDebugPrivilege	6788	powershell.exe
Token: SeDebugPrivilege	6500	powershell.exe
Token: SeDebugPrivilege	7428	powershell.exe
Token: SeDebugPrivilege	7488	powershell.exe
Token: SeDebugPrivilege	7532	powershell.exe
Token: SeDebugPrivilege	8040	powershell.exe
Token: SeDebugPrivilege	8080	powershell.exe
Token: SeDebugPrivilege	8128	powershell.exe
Token: SeDebugPrivilege	7680	powershell.exe
Token: SeDebugPrivilege	7872	powershell.exe
Token: SeDebugPrivilege	8136	powershell.exe
Token: SeDebugPrivilege	8364	powershell.exe
Token: SeDebugPrivilege	8396	powershell.exe
Token: SeDebugPrivilege	8436	powershell.exe
Token: SeDebugPrivilege	8740	powershell.exe
Token: SeDebugPrivilege	8804	powershell.exe
Token: SeDebugPrivilege	8848	powershell.exe
Token: SeDebugPrivilege	3016	Order Sheet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order Sheet.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exe

description	pid	process	target process
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	AdvancedRun.exe
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	AdvancedRun.exe
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	AdvancedRun.exe
PID 3472 wrote to memory of 3356	3472	AdvancedRun.exe	AdvancedRun.exe
PID 3472 wrote to memory of 3356	3472	AdvancedRun.exe	AdvancedRun.exe
PID 3472 wrote to memory of 3356	3472	AdvancedRun.exe	AdvancedRun.exe
PID 3016 wrote to memory of 3532	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3532	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3532	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3844	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3844	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3844	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1164	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1164	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1164	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3152	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3152	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3152	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1504	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1504	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 1504	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 2156	3016	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 3016 wrote to memory of 2156	3016	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 3016 wrote to memory of 2156	3016	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 3016 wrote to memory of 2984	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 2984	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 2984	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 3472	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 196	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 196	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 196	3016	Order Sheet.exe	powershell.exe
PID 2156 wrote to memory of 4532	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 2156 wrote to memory of 4532	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 2156 wrote to memory of 4532	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 4532 wrote to memory of 4780	4532	AdvancedRun.exe	AdvancedRun.exe
PID 4532 wrote to memory of 4780	4532	AdvancedRun.exe	AdvancedRun.exe
PID 4532 wrote to memory of 4780	4532	AdvancedRun.exe	AdvancedRun.exe
PID 2156 wrote to memory of 5040	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5040	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5040	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5068	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5068	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5068	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5108	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5108	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 5108	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4124	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4124	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4124	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4200	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4200	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 2156 wrote to memory of 4200	2156	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3016 wrote to memory of 4808	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4808	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4808	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4828	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4828	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4828	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4924	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4924	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 4924	3016	Order Sheet.exe	powershell.exe
PID 3016 wrote to memory of 5236	3016	Order Sheet.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Order Sheet.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Order Sheet.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Order Sheet.exe

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
1⤵
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016

C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe" /SpecialRun 4101d8 3472
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe" /SpecialRun 4101d8 4532
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:8232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:5300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:8412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:10148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:10168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:10196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
PID:9712

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:9772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
3⤵
PID:9636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1912
3⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:8176

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:8684

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
2⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1888
2⤵
- Drops file in Windows directory
- Program crash
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c56c0717aec3a0327533dbd5da9ec441

SHA1
73c50595748c22f02e646b2616b1653f9c24b3ed

SHA256
f74c7831269d9c1c64cd02b7739fa49f57dd3748560f9dfff9e9dfce57893164

SHA512
712b6f8b525a6588ab10da4427dd363672646d1df303a742174425d21eb1f7ed2df6825bf235abc95a7a0d119a70d9b237b2337814c0a3c82239ff0bec9a6810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c56c0717aec3a0327533dbd5da9ec441

SHA1
73c50595748c22f02e646b2616b1653f9c24b3ed

SHA256
f74c7831269d9c1c64cd02b7739fa49f57dd3748560f9dfff9e9dfce57893164

SHA512
712b6f8b525a6588ab10da4427dd363672646d1df303a742174425d21eb1f7ed2df6825bf235abc95a7a0d119a70d9b237b2337814c0a3c82239ff0bec9a6810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89f1e4ddf9cf62f0caa9239ee286866e

SHA1
7fcddd8ce5362828d88a7defc89d01301002b928

SHA256
a9aea8820b22d8803247913bc20a1bb52453089db96e5b3947b52a8fd2311a41

SHA512
56b45ba9880a34bafd9a0799185b2a68457da1ba9cc786ffeabda7cf997cf7754071bb8753fd4965769e9213bda0806d6ff3d26c6657e35086c8b61d60adaed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89f1e4ddf9cf62f0caa9239ee286866e

SHA1
7fcddd8ce5362828d88a7defc89d01301002b928

SHA256
a9aea8820b22d8803247913bc20a1bb52453089db96e5b3947b52a8fd2311a41

SHA512
56b45ba9880a34bafd9a0799185b2a68457da1ba9cc786ffeabda7cf997cf7754071bb8753fd4965769e9213bda0806d6ff3d26c6657e35086c8b61d60adaed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
3b164f9b544b25717cd99aa3705bf593

SHA1
972708780a62a79fa5b191e2d1b9003748a2f260

SHA256
dac311191645a941f5f9ca1de143c17d47f9a5a7c03efa630019ddd84ba5e75f

SHA512
f6ebe0d8263fa54600f4eb9cac3801c805cd950687bf8b9aeb547b86e59436ba433f75eabd4b0303824319289a6df2051051a20be01dff0562c6220cec46877d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
38eb2bf10b6d757050428a0caa458c68

SHA1
35023613fa98d8450e61c55e2cfb12d23dc7aa5d

SHA256
a89451257593e92c3d3974c4ee377e03022799b89511055034fd723697442697

SHA512
2275224c89d0a9a5aab8ec0de7198d304f7bc8884d087f2737a63f714c8625ce32432a4b509b09e0598f6cf433a4371965789d434837ec79bae8ace3241d5134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
38eb2bf10b6d757050428a0caa458c68

SHA1
35023613fa98d8450e61c55e2cfb12d23dc7aa5d

SHA256
a89451257593e92c3d3974c4ee377e03022799b89511055034fd723697442697

SHA512
2275224c89d0a9a5aab8ec0de7198d304f7bc8884d087f2737a63f714c8625ce32432a4b509b09e0598f6cf433a4371965789d434837ec79bae8ace3241d5134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89f1e4ddf9cf62f0caa9239ee286866e

SHA1
7fcddd8ce5362828d88a7defc89d01301002b928

SHA256
a9aea8820b22d8803247913bc20a1bb52453089db96e5b3947b52a8fd2311a41

SHA512
56b45ba9880a34bafd9a0799185b2a68457da1ba9cc786ffeabda7cf997cf7754071bb8753fd4965769e9213bda0806d6ff3d26c6657e35086c8b61d60adaed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bcabacc99eb628f3ea2d37d68e368902

SHA1
dab4044609b4fde4d1841d2f473b1297e88a3bce

SHA256
2048bf3ec6e2c402d6b6314d239a8ab6bd963d5e566e21673fb0d81d55857198

SHA512
ef05d256032eb6e870f41df8c48dd1fbb9444d3c4b79e9093e3609dec2bf1cd33baf7bb925b7381bdaef5b2e2c6b8da14f4215120c2e2d1ca8d4378b9be64ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0494be9c5fe40c5a85098d06ecd777d6

SHA1
cbeadbbc53c7a066a632197f204053bbcf410fbb

SHA256
a528eef704050770ed7bb1a5dec31369968d0fc0a4d479db1cf730ff5c0fa24c

SHA512
79975f846003a84d1c77edfcfee459f4504ca7939f5043c8b835e857e2b4bf6cd1ca22470b03e8f8162e22d8e846eeb57bf3973021389309e3604e8eee0eb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca235a3fb82371200aec47336145468b

SHA1
06f3d5bf91db65292bb55305621d106fec457e54

SHA256
5179086a4f27a3053788d8bf81cd90069322649a5871c963d6f71cc9d42001f4

SHA512
5f91f5a2abe8ce4d5c7d6c13b8c2127eb937cdf3aeb8e4890e674bc152db4ec1d14ba55e252dea21aa8b457a864176bd0f3037a29db2f7a33b4377bec216d446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0494be9c5fe40c5a85098d06ecd777d6

SHA1
cbeadbbc53c7a066a632197f204053bbcf410fbb

SHA256
a528eef704050770ed7bb1a5dec31369968d0fc0a4d479db1cf730ff5c0fa24c

SHA512
79975f846003a84d1c77edfcfee459f4504ca7939f5043c8b835e857e2b4bf6cd1ca22470b03e8f8162e22d8e846eeb57bf3973021389309e3604e8eee0eb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca235a3fb82371200aec47336145468b

SHA1
06f3d5bf91db65292bb55305621d106fec457e54

SHA256
5179086a4f27a3053788d8bf81cd90069322649a5871c963d6f71cc9d42001f4

SHA512
5f91f5a2abe8ce4d5c7d6c13b8c2127eb937cdf3aeb8e4890e674bc152db4ec1d14ba55e252dea21aa8b457a864176bd0f3037a29db2f7a33b4377bec216d446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0494be9c5fe40c5a85098d06ecd777d6

SHA1
cbeadbbc53c7a066a632197f204053bbcf410fbb

SHA256
a528eef704050770ed7bb1a5dec31369968d0fc0a4d479db1cf730ff5c0fa24c

SHA512
79975f846003a84d1c77edfcfee459f4504ca7939f5043c8b835e857e2b4bf6cd1ca22470b03e8f8162e22d8e846eeb57bf3973021389309e3604e8eee0eb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0494be9c5fe40c5a85098d06ecd777d6

SHA1
cbeadbbc53c7a066a632197f204053bbcf410fbb

SHA256
a528eef704050770ed7bb1a5dec31369968d0fc0a4d479db1cf730ff5c0fa24c

SHA512
79975f846003a84d1c77edfcfee459f4504ca7939f5043c8b835e857e2b4bf6cd1ca22470b03e8f8162e22d8e846eeb57bf3973021389309e3604e8eee0eb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca235a3fb82371200aec47336145468b

SHA1
06f3d5bf91db65292bb55305621d106fec457e54

SHA256
5179086a4f27a3053788d8bf81cd90069322649a5871c963d6f71cc9d42001f4

SHA512
5f91f5a2abe8ce4d5c7d6c13b8c2127eb937cdf3aeb8e4890e674bc152db4ec1d14ba55e252dea21aa8b457a864176bd0f3037a29db2f7a33b4377bec216d446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca235a3fb82371200aec47336145468b

SHA1
06f3d5bf91db65292bb55305621d106fec457e54

SHA256
5179086a4f27a3053788d8bf81cd90069322649a5871c963d6f71cc9d42001f4

SHA512
5f91f5a2abe8ce4d5c7d6c13b8c2127eb937cdf3aeb8e4890e674bc152db4ec1d14ba55e252dea21aa8b457a864176bd0f3037a29db2f7a33b4377bec216d446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca235a3fb82371200aec47336145468b

SHA1
06f3d5bf91db65292bb55305621d106fec457e54

SHA256
5179086a4f27a3053788d8bf81cd90069322649a5871c963d6f71cc9d42001f4

SHA512
5f91f5a2abe8ce4d5c7d6c13b8c2127eb937cdf3aeb8e4890e674bc152db4ec1d14ba55e252dea21aa8b457a864176bd0f3037a29db2f7a33b4377bec216d446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bcabacc99eb628f3ea2d37d68e368902

SHA1
dab4044609b4fde4d1841d2f473b1297e88a3bce

SHA256
2048bf3ec6e2c402d6b6314d239a8ab6bd963d5e566e21673fb0d81d55857198

SHA512
ef05d256032eb6e870f41df8c48dd1fbb9444d3c4b79e9093e3609dec2bf1cd33baf7bb925b7381bdaef5b2e2c6b8da14f4215120c2e2d1ca8d4378b9be64ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d2340a28bfe9682b0e53efd51d2b3179

SHA1
597a584278738a67ffc7786bf7e628f7826375ea

SHA256
620c41eabfa3cd91356cdc81755f9c43755ce8e8655241c7ea145785c473d748

SHA512
281b69bfe1de176632e24337e14f403ea4d5b41b397285072861b5b6808e8ac36cce8b0dbab4a21e09ebb5753fcc89ab18b9c3acbfb502d70538f4a35d04f91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d2340a28bfe9682b0e53efd51d2b3179

SHA1
597a584278738a67ffc7786bf7e628f7826375ea

SHA256
620c41eabfa3cd91356cdc81755f9c43755ce8e8655241c7ea145785c473d748

SHA512
281b69bfe1de176632e24337e14f403ea4d5b41b397285072861b5b6808e8ac36cce8b0dbab4a21e09ebb5753fcc89ab18b9c3acbfb502d70538f4a35d04f91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bcabacc99eb628f3ea2d37d68e368902

SHA1
dab4044609b4fde4d1841d2f473b1297e88a3bce

SHA256
2048bf3ec6e2c402d6b6314d239a8ab6bd963d5e566e21673fb0d81d55857198

SHA512
ef05d256032eb6e870f41df8c48dd1fbb9444d3c4b79e9093e3609dec2bf1cd33baf7bb925b7381bdaef5b2e2c6b8da14f4215120c2e2d1ca8d4378b9be64ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5996af5a95781dfcbfeed9eb897ac3c8

SHA1
b1defc9b40ff8a96a417921462354fc8fb9dea26

SHA256
2cc31527cd448033b1639ed775daf18b917d86fb14c35efd996acef50e611719

SHA512
60e368b82a5afcbe7ccf153d6c4d3609900bfa3f744163408b442ea5b8daad0f0507ff5e7afab420db3f5ba63661711f000d31969195fa72f0f2b3874c1f8780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5996af5a95781dfcbfeed9eb897ac3c8

SHA1
b1defc9b40ff8a96a417921462354fc8fb9dea26

SHA256
2cc31527cd448033b1639ed775daf18b917d86fb14c35efd996acef50e611719

SHA512
60e368b82a5afcbe7ccf153d6c4d3609900bfa3f744163408b442ea5b8daad0f0507ff5e7afab420db3f5ba63661711f000d31969195fa72f0f2b3874c1f8780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e0161674dc9213006ed4f9e822eacd24

SHA1
7e3951e85705a8c21c5496a1a9a0bbcca82a3175

SHA256
c7edc2c5ce27bea39506adb294bc5c2bd51c871598e1ff8e6d19b4c3dd65527b

SHA512
7d7b8de8bbdb0b8d445c56a5cebd749aaac915c8e7ae3aaacff015e7c743c692789daa0e4b63433b1430d40e6f60937c4f3336e07609667547f1a62642b00541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
188e29b0c2599c1d87b81ab38a208158

SHA1
73ddbdf7bd84732fb0f010d2b05e097c301ae2a3

SHA256
ef48800af264713356edde8584bc6039e95a587691da47b2183bd33224069af8

SHA512
3b5686d768139d30705f47b31cabe62a89a210f82c09782f5498b1c2b256a12e100ed8901ffcce25b51000813135bd66c37190b1076d3835d804595d2558ae61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
03b8da52cffe973dce1faeea180007cc

SHA1
e96de7124f3206d61c9035c900edac5d38abeae0

SHA256
0176e6b9a7e836e147395aa58ea38450b1a56e3ce14bb68146cb9524e30ea9da

SHA512
2fe1a56ecd1b690518ea3b51bba5c91c9a363ef7aace1b4fb54e212e1398e12e2af6ed8ddb5b9906ca8edfd94fee39665a68417e19715a97730b1edd0b7b67ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
03b8da52cffe973dce1faeea180007cc

SHA1
e96de7124f3206d61c9035c900edac5d38abeae0

SHA256
0176e6b9a7e836e147395aa58ea38450b1a56e3ce14bb68146cb9524e30ea9da

SHA512
2fe1a56ecd1b690518ea3b51bba5c91c9a363ef7aace1b4fb54e212e1398e12e2af6ed8ddb5b9906ca8edfd94fee39665a68417e19715a97730b1edd0b7b67ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
03b8da52cffe973dce1faeea180007cc

SHA1
e96de7124f3206d61c9035c900edac5d38abeae0

SHA256
0176e6b9a7e836e147395aa58ea38450b1a56e3ce14bb68146cb9524e30ea9da

SHA512
2fe1a56ecd1b690518ea3b51bba5c91c9a363ef7aace1b4fb54e212e1398e12e2af6ed8ddb5b9906ca8edfd94fee39665a68417e19715a97730b1edd0b7b67ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f3bd7bb66d852754c5a7ca3beb1917f7

SHA1
088b04705e29bf22d07a7260125b42627fcc4216

SHA256
4c002fdbf2a04a0ac637159efa35a9efcab5b60da6abc194446a42d0cfd0e3bb

SHA512
66b283da569af9070038bc4de0e08eae924635d3bd9eb2482d3dad24b077edf0025828bd52ac51e1d73a4ea3de673297dcb1390eb3c484a006ef67ee742364a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f3bd7bb66d852754c5a7ca3beb1917f7

SHA1
088b04705e29bf22d07a7260125b42627fcc4216

SHA256
4c002fdbf2a04a0ac637159efa35a9efcab5b60da6abc194446a42d0cfd0e3bb

SHA512
66b283da569af9070038bc4de0e08eae924635d3bd9eb2482d3dad24b077edf0025828bd52ac51e1d73a4ea3de673297dcb1390eb3c484a006ef67ee742364a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f3bd7bb66d852754c5a7ca3beb1917f7

SHA1
088b04705e29bf22d07a7260125b42627fcc4216

SHA256
4c002fdbf2a04a0ac637159efa35a9efcab5b60da6abc194446a42d0cfd0e3bb

SHA512
66b283da569af9070038bc4de0e08eae924635d3bd9eb2482d3dad24b077edf0025828bd52ac51e1d73a4ea3de673297dcb1390eb3c484a006ef67ee742364a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ec390e4-b4a3-4195-8107-c0cb6957ff98\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8557d40-3d87-45ad-af1b-7081443b729b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
memory/196-185-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/196-189-0x0000000004D62000-0x0000000004D63000-memory.dmp

Filesize
4KB

Download
memory/196-265-0x000000007F470000-0x000000007F471000-memory.dmp

Filesize
4KB

Download
memory/196-259-0x0000000004D63000-0x0000000004D64000-memory.dmp

Filesize
4KB

Download
memory/196-147-0x0000000000000000-mapping.dmp

Download
memory/1164-128-0x0000000000000000-mapping.dmp

Download
memory/1164-158-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/1164-246-0x000000007EDA0000-0x000000007EDA1000-memory.dmp

Filesize
4KB

Download
memory/1164-242-0x00000000068C3000-0x00000000068C4000-memory.dmp

Filesize
4KB

Download
memory/1164-197-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/1504-176-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/1504-130-0x0000000000000000-mapping.dmp

Download
memory/1504-166-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/1504-245-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/1504-253-0x000000007F690000-0x000000007F691000-memory.dmp

Filesize
4KB

Download
memory/2156-170-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2156-131-0x0000000000000000-mapping.dmp

Download
memory/2288-283-0x0000000000000000-mapping.dmp

Download
memory/2984-248-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/2984-183-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/2984-250-0x000000007E280000-0x000000007E281000-memory.dmp

Filesize
4KB

Download
memory/2984-136-0x0000000000000000-mapping.dmp

Download
memory/2984-174-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3016-157-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/3016-116-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3016-117-0x0000000001010000-0x000000000107E000-memory.dmp

Filesize
440KB

Download
memory/3016-114-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/3016-118-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3016-119-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3016-120-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3152-162-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/3152-264-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/3152-155-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3152-129-0x0000000000000000-mapping.dmp

Download
memory/3152-257-0x00000000049F3000-0x00000000049F4000-memory.dmp

Filesize
4KB

Download
memory/3356-124-0x0000000000000000-mapping.dmp

Download
memory/3472-180-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/3472-121-0x0000000000000000-mapping.dmp

Download
memory/3472-187-0x0000000004242000-0x0000000004243000-memory.dmp

Filesize
4KB

Download
memory/3472-251-0x0000000004243000-0x0000000004244000-memory.dmp

Filesize
4KB

Download
memory/3472-256-0x000000007F8A0000-0x000000007F8A1000-memory.dmp

Filesize
4KB

Download
memory/3472-140-0x0000000000000000-mapping.dmp

Download
memory/3532-202-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3532-192-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

Filesize
4KB

Download
memory/3532-252-0x0000000004CA3000-0x0000000004CA4000-memory.dmp

Filesize
4KB

Download
memory/3532-199-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3532-205-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/3532-163-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3532-126-0x0000000000000000-mapping.dmp

Download
memory/3532-263-0x000000007E0F0000-0x000000007E0F1000-memory.dmp

Filesize
4KB

Download
memory/3844-153-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3844-190-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/3844-141-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/3844-249-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

Filesize
4KB

Download
memory/3844-127-0x0000000000000000-mapping.dmp

Download
memory/3844-150-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/3844-243-0x0000000006B83000-0x0000000006B84000-memory.dmp

Filesize
4KB

Download
memory/3844-194-0x0000000006B82000-0x0000000006B83000-memory.dmp

Filesize
4KB

Download
memory/4124-220-0x0000000000000000-mapping.dmp

Download
memory/4124-231-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4124-232-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/4200-233-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4200-234-0x0000000004E82000-0x0000000004E83000-memory.dmp

Filesize
4KB

Download
memory/4200-221-0x0000000000000000-mapping.dmp

Download
memory/4432-281-0x0000000000000000-mapping.dmp

Download
memory/4532-191-0x0000000000000000-mapping.dmp

Download
memory/4780-215-0x0000000000000000-mapping.dmp

Download
memory/4808-235-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/4808-224-0x0000000000000000-mapping.dmp

Download
memory/4808-236-0x00000000074F2000-0x00000000074F3000-memory.dmp

Filesize
4KB

Download
memory/4828-238-0x0000000004BA2000-0x0000000004BA3000-memory.dmp

Filesize
4KB

Download
memory/4828-237-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4828-227-0x0000000000000000-mapping.dmp

Download
memory/4924-239-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/4924-240-0x0000000002B02000-0x0000000002B03000-memory.dmp

Filesize
4KB

Download
memory/4924-230-0x0000000000000000-mapping.dmp

Download
memory/5040-280-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/5040-223-0x0000000006902000-0x0000000006903000-memory.dmp

Filesize
4KB

Download
memory/5040-222-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/5040-217-0x0000000000000000-mapping.dmp

Download
memory/5068-225-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/5068-282-0x000000007F6B0000-0x000000007F6B1000-memory.dmp

Filesize
4KB

Download
memory/5068-218-0x0000000000000000-mapping.dmp

Download
memory/5068-226-0x0000000004362000-0x0000000004363000-memory.dmp

Filesize
4KB

Download
memory/5108-219-0x0000000000000000-mapping.dmp

Download
memory/5108-229-0x0000000006BD2000-0x0000000006BD3000-memory.dmp

Filesize
4KB

Download
memory/5108-228-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/5208-284-0x0000000000000000-mapping.dmp

Download
memory/5236-255-0x0000000006B52000-0x0000000006B53000-memory.dmp

Filesize
4KB

Download
memory/5236-254-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/5236-241-0x0000000000000000-mapping.dmp

Download
memory/5272-261-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/5272-258-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/5272-244-0x0000000000000000-mapping.dmp

Download
memory/5300-336-0x0000000000000000-mapping.dmp

Download
memory/5316-262-0x0000000004E42000-0x0000000004E43000-memory.dmp

Filesize
4KB

Download
memory/5316-247-0x0000000000000000-mapping.dmp

Download
memory/5316-260-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/5436-285-0x0000000000000000-mapping.dmp

Download
memory/5572-286-0x0000000000000000-mapping.dmp

Download
memory/5580-279-0x0000000000000000-mapping.dmp

Download
memory/5864-270-0x0000000007562000-0x0000000007563000-memory.dmp

Filesize
4KB

Download
memory/5864-269-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/5864-266-0x0000000000000000-mapping.dmp

Download
memory/5888-267-0x0000000000000000-mapping.dmp

Download
memory/5888-272-0x0000000006B22000-0x0000000006B23000-memory.dmp

Filesize
4KB

Download
memory/5888-271-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/5924-274-0x0000000006C42000-0x0000000006C43000-memory.dmp

Filesize
4KB

Download
memory/5924-268-0x0000000000000000-mapping.dmp

Download
memory/5924-273-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/6292-288-0x0000000000000000-mapping.dmp

Download
memory/6364-289-0x0000000000000000-mapping.dmp

Download
memory/6424-290-0x0000000000000000-mapping.dmp

Download
memory/6500-299-0x0000000000000000-mapping.dmp

Download
memory/6588-291-0x0000000000000000-mapping.dmp

Download
memory/6648-292-0x0000000000000000-mapping.dmp

Download
memory/6684-293-0x0000000000000000-mapping.dmp

Download
memory/6788-298-0x0000000000000000-mapping.dmp

Download
memory/6860-297-0x0000000000000000-mapping.dmp

Download
memory/7028-294-0x0000000000000000-mapping.dmp

Download
memory/7072-295-0x0000000000000000-mapping.dmp

Download
memory/7112-296-0x0000000000000000-mapping.dmp

Download
memory/7428-301-0x0000000000000000-mapping.dmp

Download
memory/7488-302-0x0000000000000000-mapping.dmp

Download
memory/7532-303-0x0000000000000000-mapping.dmp

Download
memory/7680-311-0x0000000000000000-mapping.dmp

Download
memory/7872-312-0x0000000000000000-mapping.dmp

Download
memory/8040-306-0x0000000000000000-mapping.dmp

Download
memory/8080-307-0x0000000000000000-mapping.dmp

Download
memory/8128-308-0x0000000000000000-mapping.dmp

Download
memory/8136-313-0x0000000000000000-mapping.dmp

Download
memory/8176-326-0x0000000000000000-mapping.dmp

Download
memory/8232-335-0x0000000000000000-mapping.dmp

Download
memory/8364-317-0x0000000000000000-mapping.dmp

Download
memory/8396-318-0x0000000000000000-mapping.dmp

Download
memory/8436-319-0x0000000000000000-mapping.dmp

Download
memory/8684-331-0x0000000000000000-mapping.dmp

Download
memory/8740-320-0x0000000000000000-mapping.dmp

Download
memory/8804-321-0x0000000000000000-mapping.dmp

Download
memory/8848-322-0x0000000000000000-mapping.dmp

Download