asyncrat | c859ca0267663b4fe7ebb26f0b99cadef80b2e0c1cc66007ff4cd3a55f451969

Analysis

max time kernel
75s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Sheet.exe
Size

2.6MB
MD5

9bc1a47fdbd32cc92c94a9d1a84597ac
SHA1

63a5eb6563208137d12dd8fa4ede2e2c98e70033
SHA256

ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
SHA512

559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Score

10^/10

asyncrat evasion rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exe

pid	process
2444	AdvancedRun.exe
1704	AdvancedRun.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
4688	AdvancedRun.exe
4884	AdvancedRun.exe
4916	1Ua9ea19ce4Va7ea83fucAac58.exe

Drops startup file 2 IoCs

Processes:

Order Sheet.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Order Sheet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Order Sheet.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Order Sheet.exe1Ua9ea19ce4Va7ea83fucAac58.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Order Sheet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1Ua9ea19ce4Va7ea83fucAac58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1Ua9ea19ce4Va7ea83fucAac58.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

Order Sheet.exe1Ua9ea19ce4Va7ea83fucAac58.exe

pid	process
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
512	Order Sheet.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe
1704	1Ua9ea19ce4Va7ea83fucAac58.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Order Sheet.exe1Ua9ea19ce4Va7ea83fucAac58.exe

description	pid	process	target process
PID 512 set thread context of 10068	512	Order Sheet.exe	Order Sheet.exe
PID 1704 set thread context of 4916	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	1Ua9ea19ce4Va7ea83fucAac58.exe

Drops file in Windows directory 2 IoCs

Processes:

WerFault.exeOrder Sheet.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe	Order Sheet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

9948 512 WerFault.exe Order Sheet.exe
9432 1704 WerFault.exe 1Ua9ea19ce4Va7ea83fucAac58.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

9228 timeout.exe
2896 timeout.exe

pid	pid_target	process	target process
9948	512	WerFault.exe	Order Sheet.exe
9432	1704	WerFault.exe	1Ua9ea19ce4Va7ea83fucAac58.exe

pid	process
9228	timeout.exe
2896	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2444	AdvancedRun.exe
2444	AdvancedRun.exe
2444	AdvancedRun.exe
2444	AdvancedRun.exe
1704	AdvancedRun.exe
1704	AdvancedRun.exe
1704	AdvancedRun.exe
1704	AdvancedRun.exe
780	powershell.exe
780	powershell.exe
856	powershell.exe
856	powershell.exe
688	powershell.exe
688	powershell.exe
2396	powershell.exe
2396	powershell.exe
2804	powershell.exe
2804	powershell.exe
2708	powershell.exe
2708	powershell.exe
4688	AdvancedRun.exe
4688	AdvancedRun.exe
4688	AdvancedRun.exe
4688	AdvancedRun.exe
4144	powershell.exe
4144	powershell.exe
4232	powershell.exe
4232	powershell.exe
4884	AdvancedRun.exe
4884	AdvancedRun.exe
4884	AdvancedRun.exe
4884	AdvancedRun.exe
856	powershell.exe
688	powershell.exe
2396	powershell.exe
780	powershell.exe
2804	powershell.exe
2708	powershell.exe
4232	powershell.exe
4144	powershell.exe
5096	powershell.exe
5096	powershell.exe
4180	powershell.exe
4180	powershell.exe
2704	powershell.exe
2704	powershell.exe
856	powershell.exe
856	powershell.exe
2396	powershell.exe
2396	powershell.exe
688	powershell.exe
688	powershell.exe
5096	powershell.exe
4180	powershell.exe
780	powershell.exe
780	powershell.exe
2804	powershell.exe
2804	powershell.exe
2704	powershell.exe
2708	powershell.exe
2708	powershell.exe
4232	powershell.exe
4232	powershell.exe
4144	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2444	AdvancedRun.exe
Token: SeImpersonatePrivilege	2444	AdvancedRun.exe
Token: SeDebugPrivilege	1704	AdvancedRun.exe
Token: SeImpersonatePrivilege	1704	AdvancedRun.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4688	AdvancedRun.exe
Token: SeImpersonatePrivilege	4688	AdvancedRun.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4884	AdvancedRun.exe
Token: SeImpersonatePrivilege	4884	AdvancedRun.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5524	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	5908	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	5532	powershell.exe
Token: SeDebugPrivilege	6540	powershell.exe
Token: SeDebugPrivilege	6432	powershell.exe
Token: SeDebugPrivilege	6480	powershell.exe
Token: SeDebugPrivilege	6500	powershell.exe
Token: SeDebugPrivilege	6616	powershell.exe
Token: SeDebugPrivilege	6564	powershell.exe
Token: SeDebugPrivilege	6660	powershell.exe
Token: SeDebugPrivilege	6300	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	7220	powershell.exe
Token: SeDebugPrivilege	7412	powershell.exe
Token: SeDebugPrivilege	7548	powershell.exe
Token: SeDebugPrivilege	7476	powershell.exe
Token: SeDebugPrivilege	7608	powershell.exe
Token: SeDebugPrivilege	7692	powershell.exe
Token: SeDebugPrivilege	7792	powershell.exe
Token: SeDebugPrivilege	8084	powershell.exe
Token: SeDebugPrivilege	7556	powershell.exe
Token: SeDebugPrivilege	6996	powershell.exe
Token: SeDebugPrivilege	8456	powershell.exe
Token: SeDebugPrivilege	8488	powershell.exe
Token: SeDebugPrivilege	8500	powershell.exe
Token: SeDebugPrivilege	8556	powershell.exe
Token: SeDebugPrivilege	8576	powershell.exe
Token: SeDebugPrivilege	8656	powershell.exe
Token: SeDebugPrivilege	9124	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order Sheet.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exe

description	pid	process	target process
PID 512 wrote to memory of 2444	512	Order Sheet.exe	AdvancedRun.exe
PID 512 wrote to memory of 2444	512	Order Sheet.exe	AdvancedRun.exe
PID 512 wrote to memory of 2444	512	Order Sheet.exe	AdvancedRun.exe
PID 2444 wrote to memory of 1704	2444	AdvancedRun.exe	AdvancedRun.exe
PID 2444 wrote to memory of 1704	2444	AdvancedRun.exe	AdvancedRun.exe
PID 2444 wrote to memory of 1704	2444	AdvancedRun.exe	AdvancedRun.exe
PID 512 wrote to memory of 780	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 780	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 780	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 688	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 688	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 688	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 856	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 856	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 856	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2396	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2396	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2396	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2804	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2804	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2804	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 1704	512	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 512 wrote to memory of 1704	512	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 512 wrote to memory of 1704	512	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 512 wrote to memory of 2708	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2708	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2708	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4144	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4144	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4144	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4232	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4232	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4232	512	Order Sheet.exe	powershell.exe
PID 1704 wrote to memory of 4688	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 1704 wrote to memory of 4688	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 1704 wrote to memory of 4688	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 4688 wrote to memory of 4884	4688	AdvancedRun.exe	AdvancedRun.exe
PID 4688 wrote to memory of 4884	4688	AdvancedRun.exe	AdvancedRun.exe
PID 4688 wrote to memory of 4884	4688	AdvancedRun.exe	AdvancedRun.exe
PID 512 wrote to memory of 5096	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 5096	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 5096	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2704	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2704	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 2704	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4180	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4180	512	Order Sheet.exe	powershell.exe
PID 512 wrote to memory of 4180	512	Order Sheet.exe	powershell.exe
PID 1704 wrote to memory of 1524	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 1524	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 1524	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4848	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4848	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4848	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4888	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4888	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4888	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4860	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4860	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 4860	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 2840	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 2840	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1704 wrote to memory of 2840	1704	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 512 wrote to memory of 5440	512	Order Sheet.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Order Sheet.exe1Ua9ea19ce4Va7ea83fucAac58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1Ua9ea19ce4Va7ea83fucAac58.exe

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
1⤵
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:512

C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe" /SpecialRun 4101d8 2444
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704

C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe" /SpecialRun 4101d8 4688
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:7016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
PID:9468

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2896

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
3⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1856
3⤵
- Program crash
PID:9432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
PID:9600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:10048

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:9228

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
2⤵
PID:10068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1636
2⤵
- Drops file in Windows directory
- Program crash
PID:9948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
91490fc7cd4d7c5012158a1c0e99344f

SHA1
33edf87d925606ec597c61c297016d854203049c

SHA256
44f9ed46d8cd7d0c23648b550418cffb74ea34b283238f1a6abf3ee6bc0d98b9

SHA512
4d91ab120350f344930edc69591e3847555a8d6461221e8b63ec78d30d1ab45f82d00543b910c961cffea175a43b9d28e8f38d33c465f224dba9ce96a42d7001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
91490fc7cd4d7c5012158a1c0e99344f

SHA1
33edf87d925606ec597c61c297016d854203049c

SHA256
44f9ed46d8cd7d0c23648b550418cffb74ea34b283238f1a6abf3ee6bc0d98b9

SHA512
4d91ab120350f344930edc69591e3847555a8d6461221e8b63ec78d30d1ab45f82d00543b910c961cffea175a43b9d28e8f38d33c465f224dba9ce96a42d7001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
91490fc7cd4d7c5012158a1c0e99344f

SHA1
33edf87d925606ec597c61c297016d854203049c

SHA256
44f9ed46d8cd7d0c23648b550418cffb74ea34b283238f1a6abf3ee6bc0d98b9

SHA512
4d91ab120350f344930edc69591e3847555a8d6461221e8b63ec78d30d1ab45f82d00543b910c961cffea175a43b9d28e8f38d33c465f224dba9ce96a42d7001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a2b087e7472047586aee8e03cc9dd4ae

SHA1
d1b52c1c93e7bb66785a9282aa874bce07003e3a

SHA256
31fe71464fda005368a23d306fef375fdca0df61691179aeff5d58d2d2adf798

SHA512
80d0f3483bbd59d3d6da005817d83d3068209bc9bdbe29549bc168e40ebe5279c355aa678f0a82213bfa30a12e3295d18cefe84161dc037cb6da63ffa02c2d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a2b087e7472047586aee8e03cc9dd4ae

SHA1
d1b52c1c93e7bb66785a9282aa874bce07003e3a

SHA256
31fe71464fda005368a23d306fef375fdca0df61691179aeff5d58d2d2adf798

SHA512
80d0f3483bbd59d3d6da005817d83d3068209bc9bdbe29549bc168e40ebe5279c355aa678f0a82213bfa30a12e3295d18cefe84161dc037cb6da63ffa02c2d21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ee051524a2c1c6630e89e807a0aff503

SHA1
a0902ae9d28a75e7809c413b93ab80da83f79fb4

SHA256
09aa3241a5c7c261552f7b9bd3294578a66a251916981323b39ae83d99b68504

SHA512
3f9853d7cf3ec32ac6a9ea9bafc137e60d9c7e14cca8e3520a34817938436bafa45245a091c23373fad956f4f8da7c0f246e5960d627e11f358169313cebab09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8439be7996b448b9cf3e9e662cec3321

SHA1
30262b7c5d9a97a98e4df37c8e50e75d1431306d

SHA256
1c323605656b5c16345f4339b4eec7ef90d17ded67ddf1c8c1fe24caee9bcc44

SHA512
4f5ea618e9e41a7f9963a45b34da37d42df51e8b17dc958dcced8ba13d70fe83e0096911879cdbf5592d2b83ed8e7f943a35e5c6e39d5fd9320654874f6065c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8439be7996b448b9cf3e9e662cec3321

SHA1
30262b7c5d9a97a98e4df37c8e50e75d1431306d

SHA256
1c323605656b5c16345f4339b4eec7ef90d17ded67ddf1c8c1fe24caee9bcc44

SHA512
4f5ea618e9e41a7f9963a45b34da37d42df51e8b17dc958dcced8ba13d70fe83e0096911879cdbf5592d2b83ed8e7f943a35e5c6e39d5fd9320654874f6065c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8439be7996b448b9cf3e9e662cec3321

SHA1
30262b7c5d9a97a98e4df37c8e50e75d1431306d

SHA256
1c323605656b5c16345f4339b4eec7ef90d17ded67ddf1c8c1fe24caee9bcc44

SHA512
4f5ea618e9e41a7f9963a45b34da37d42df51e8b17dc958dcced8ba13d70fe83e0096911879cdbf5592d2b83ed8e7f943a35e5c6e39d5fd9320654874f6065c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ee051524a2c1c6630e89e807a0aff503

SHA1
a0902ae9d28a75e7809c413b93ab80da83f79fb4

SHA256
09aa3241a5c7c261552f7b9bd3294578a66a251916981323b39ae83d99b68504

SHA512
3f9853d7cf3ec32ac6a9ea9bafc137e60d9c7e14cca8e3520a34817938436bafa45245a091c23373fad956f4f8da7c0f246e5960d627e11f358169313cebab09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ee051524a2c1c6630e89e807a0aff503

SHA1
a0902ae9d28a75e7809c413b93ab80da83f79fb4

SHA256
09aa3241a5c7c261552f7b9bd3294578a66a251916981323b39ae83d99b68504

SHA512
3f9853d7cf3ec32ac6a9ea9bafc137e60d9c7e14cca8e3520a34817938436bafa45245a091c23373fad956f4f8da7c0f246e5960d627e11f358169313cebab09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8439be7996b448b9cf3e9e662cec3321

SHA1
30262b7c5d9a97a98e4df37c8e50e75d1431306d

SHA256
1c323605656b5c16345f4339b4eec7ef90d17ded67ddf1c8c1fe24caee9bcc44

SHA512
4f5ea618e9e41a7f9963a45b34da37d42df51e8b17dc958dcced8ba13d70fe83e0096911879cdbf5592d2b83ed8e7f943a35e5c6e39d5fd9320654874f6065c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8439be7996b448b9cf3e9e662cec3321

SHA1
30262b7c5d9a97a98e4df37c8e50e75d1431306d

SHA256
1c323605656b5c16345f4339b4eec7ef90d17ded67ddf1c8c1fe24caee9bcc44

SHA512
4f5ea618e9e41a7f9963a45b34da37d42df51e8b17dc958dcced8ba13d70fe83e0096911879cdbf5592d2b83ed8e7f943a35e5c6e39d5fd9320654874f6065c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a9b9cc66e10ea5148259e9e52d38a693

SHA1
77be40d461aec719a5af5e22ab236f9de613b924

SHA256
98a579861fe30b770447a3439d3ee7711c47a662ee8d315d4fc0566c5b4f712b

SHA512
2a0d425ed56cf27e7160e1be3c41c2f9ba6934d5bb51bf0e487a02e22c1b423240cf72ea6d84f4f3dd8a0f92e777c51a0b878ec952f1d4f8de24e65e212f221c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
26a9b1fc799a0cd41a1f3d3350f6c20f

SHA1
218553378caa84b5bfc7725fb6141c5c63cde474

SHA256
e24a8dd0de6f90b841093e42afa97492b36de4248b72d95462b1278409a56111

SHA512
11caa55feea612f9218ed7d2a2f320c8c47f2888b4eb5e016a4041f4d79681a979d8491837636cfbbc9f411c1edd99e902764999492f8f04b38b4d4e363ca4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
26a9b1fc799a0cd41a1f3d3350f6c20f

SHA1
218553378caa84b5bfc7725fb6141c5c63cde474

SHA256
e24a8dd0de6f90b841093e42afa97492b36de4248b72d95462b1278409a56111

SHA512
11caa55feea612f9218ed7d2a2f320c8c47f2888b4eb5e016a4041f4d79681a979d8491837636cfbbc9f411c1edd99e902764999492f8f04b38b4d4e363ca4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2398afb72740ec2726822226495b7c29

SHA1
824453dff2609f315ea22619958133ae3b4216c0

SHA256
baa48dfd6d87f41aca75eb6eaec09e0224c18a0487ca376b423332558f0aba65

SHA512
d2c9fcdf6ad7a18cf2d11c30e616ed09560865e8802e7b3f4a5b138c665d611f57bfc129adaf2540bc91a881c21c505c45acef06b12d70b86e4d4c164b028896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68c07e232e770525aa9fb90ae5355a6d

SHA1
e0c187904485bf4e795d31bf589c2d77270d47e5

SHA256
443a87eb0abb4444ce824929005f434368757a389eef772b45b98120c4a7a987

SHA512
f3c095bfd0914cbe6cd6e18889491cbc3c54fa2e2f1d5021241c75e1c6d35f280bd376014ada343260ab2ecfd14b95323f25454f9be4f530a823912fd2c6d660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68c07e232e770525aa9fb90ae5355a6d

SHA1
e0c187904485bf4e795d31bf589c2d77270d47e5

SHA256
443a87eb0abb4444ce824929005f434368757a389eef772b45b98120c4a7a987

SHA512
f3c095bfd0914cbe6cd6e18889491cbc3c54fa2e2f1d5021241c75e1c6d35f280bd376014ada343260ab2ecfd14b95323f25454f9be4f530a823912fd2c6d660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68c07e232e770525aa9fb90ae5355a6d

SHA1
e0c187904485bf4e795d31bf589c2d77270d47e5

SHA256
443a87eb0abb4444ce824929005f434368757a389eef772b45b98120c4a7a987

SHA512
f3c095bfd0914cbe6cd6e18889491cbc3c54fa2e2f1d5021241c75e1c6d35f280bd376014ada343260ab2ecfd14b95323f25454f9be4f530a823912fd2c6d660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed7176e3bc96d2cd48946a194fe7e591

SHA1
fa960ffb92fc37770fd95a10530939537dc15fc4

SHA256
ff8422a262b8bbbc6d70cfe17bb74fea5812a3b272659a743ae69bb2257f8ea2

SHA512
5b64d3810f6ae08e4834549324e02b4e6754fc077406c798e45e79787c768dbe1e7623731fcc37d47075a3d7d2e087d6035408b00f1477bf330772a68efedfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed7176e3bc96d2cd48946a194fe7e591

SHA1
fa960ffb92fc37770fd95a10530939537dc15fc4

SHA256
ff8422a262b8bbbc6d70cfe17bb74fea5812a3b272659a743ae69bb2257f8ea2

SHA512
5b64d3810f6ae08e4834549324e02b4e6754fc077406c798e45e79787c768dbe1e7623731fcc37d47075a3d7d2e087d6035408b00f1477bf330772a68efedfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6e807153f4cb135d7f137daa82ecdbd3

SHA1
fc045f8cb198b852e14851fdbabebc3cccb003d2

SHA256
cf23a0b0d8d78a1c38c1312ec1eb2dc1c260730e427f0e5d591cad57651c2d78

SHA512
a69e301fe8d1ff6b6786bb4e57b7de8095000e7a8c8137d5493260e6793d0d3f6eb726595adc218e4534cfe5f98c0cb19b17da1864915b31f43b0d8f3833e3f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6e807153f4cb135d7f137daa82ecdbd3

SHA1
fc045f8cb198b852e14851fdbabebc3cccb003d2

SHA256
cf23a0b0d8d78a1c38c1312ec1eb2dc1c260730e427f0e5d591cad57651c2d78

SHA512
a69e301fe8d1ff6b6786bb4e57b7de8095000e7a8c8137d5493260e6793d0d3f6eb726595adc218e4534cfe5f98c0cb19b17da1864915b31f43b0d8f3833e3f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
41f31449cc68dc86b6d16acd953d44e8

SHA1
a7047ea19fc3530c1d24724bd5acede30108842c

SHA256
1748272975e387affc1a9e711fa9f36efdf19db3271635f3675dd3d5a24eb084

SHA512
e8d8bf0cf0a35aa92b763ba37860073d3b4ab7e2a50aff8af57a2ec5793cdd39af0d8efcb21d36fabeea13d57cc4e5debe40edd696d5e44b63d7d1a60eba7d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
41f31449cc68dc86b6d16acd953d44e8

SHA1
a7047ea19fc3530c1d24724bd5acede30108842c

SHA256
1748272975e387affc1a9e711fa9f36efdf19db3271635f3675dd3d5a24eb084

SHA512
e8d8bf0cf0a35aa92b763ba37860073d3b4ab7e2a50aff8af57a2ec5793cdd39af0d8efcb21d36fabeea13d57cc4e5debe40edd696d5e44b63d7d1a60eba7d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
eb28b5611c86e31f3f4a1f93519a54fc

SHA1
b3ed072db421fe0ac54bfa4ba4680a5fb24acea6

SHA256
c908931e12171e0edb31cdcd04433d222f5f1a6dba0053f8cd0822dd51ceaacb

SHA512
f7a7d2507c1eec52e3643f20226bab323ad6b81305b4cf5529107c5fe8af7bf7dde55d0a4eab686c3100651d0d68a6c559eaf1422d97b3f747a830003807ca51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5d56bca11060d86b22889191de2fedc0

SHA1
3f03e358cc125a129d93734b9b9e8d65ab383070

SHA256
0f42f60ee481601a54602f924faf5e4c2b3553a410e1a2caa1f371349c0f2635

SHA512
b73eb1fc7a995e6a5da72212f178563109cdb02e4b79080392d090ef8f7cc9afcc2a913af56af21b48a470755ab4709e7f1c7c6099e68c9db9ff2f715baebdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
eb28b5611c86e31f3f4a1f93519a54fc

SHA1
b3ed072db421fe0ac54bfa4ba4680a5fb24acea6

SHA256
c908931e12171e0edb31cdcd04433d222f5f1a6dba0053f8cd0822dd51ceaacb

SHA512
f7a7d2507c1eec52e3643f20226bab323ad6b81305b4cf5529107c5fe8af7bf7dde55d0a4eab686c3100651d0d68a6c559eaf1422d97b3f747a830003807ca51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
eb28b5611c86e31f3f4a1f93519a54fc

SHA1
b3ed072db421fe0ac54bfa4ba4680a5fb24acea6

SHA256
c908931e12171e0edb31cdcd04433d222f5f1a6dba0053f8cd0822dd51ceaacb

SHA512
f7a7d2507c1eec52e3643f20226bab323ad6b81305b4cf5529107c5fe8af7bf7dde55d0a4eab686c3100651d0d68a6c559eaf1422d97b3f747a830003807ca51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a6d0d2aac32ed009c4be92368837c113

SHA1
fc4b4dd30baf3f0288688934ef88b4ae1a1a31e7

SHA256
98157d8da691a42306fddc78c908aef43c0929b515941ebff79580c198057ff2

SHA512
3b7f95f52af4054a64c1e2fc210242c46e4ccc5adce56558a2d2cff9c4602df87de56fc7da9f1940b505001d03f0ae6e518cb25f210f360cbdb93a8e23b6ec8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68141219571264f35c553dd5466ead8e

SHA1
671bb6f2b47c1227ce3f8a2f6783e827afb82fb2

SHA256
08a2e2bb08e22dea739e8845cdcd725fc819c1aba7787c7515a853060b5d648b

SHA512
2cf5c7050e6ae8dea318e29bffc2d9ac00f88d15267d28180151da9f4fc5b884e3a7e52869661ba0378c79df26b4d9c18ac3369531205a99a678a229c1da5275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68141219571264f35c553dd5466ead8e

SHA1
671bb6f2b47c1227ce3f8a2f6783e827afb82fb2

SHA256
08a2e2bb08e22dea739e8845cdcd725fc819c1aba7787c7515a853060b5d648b

SHA512
2cf5c7050e6ae8dea318e29bffc2d9ac00f88d15267d28180151da9f4fc5b884e3a7e52869661ba0378c79df26b4d9c18ac3369531205a99a678a229c1da5275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68141219571264f35c553dd5466ead8e

SHA1
671bb6f2b47c1227ce3f8a2f6783e827afb82fb2

SHA256
08a2e2bb08e22dea739e8845cdcd725fc819c1aba7787c7515a853060b5d648b

SHA512
2cf5c7050e6ae8dea318e29bffc2d9ac00f88d15267d28180151da9f4fc5b884e3a7e52869661ba0378c79df26b4d9c18ac3369531205a99a678a229c1da5275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68141219571264f35c553dd5466ead8e

SHA1
671bb6f2b47c1227ce3f8a2f6783e827afb82fb2

SHA256
08a2e2bb08e22dea739e8845cdcd725fc819c1aba7787c7515a853060b5d648b

SHA512
2cf5c7050e6ae8dea318e29bffc2d9ac00f88d15267d28180151da9f4fc5b884e3a7e52869661ba0378c79df26b4d9c18ac3369531205a99a678a229c1da5275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
68141219571264f35c553dd5466ead8e

SHA1
671bb6f2b47c1227ce3f8a2f6783e827afb82fb2

SHA256
08a2e2bb08e22dea739e8845cdcd725fc819c1aba7787c7515a853060b5d648b

SHA512
2cf5c7050e6ae8dea318e29bffc2d9ac00f88d15267d28180151da9f4fc5b884e3a7e52869661ba0378c79df26b4d9c18ac3369531205a99a678a229c1da5275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
23293dbc1b8d99a36ffc798b62891ab8

SHA1
0358d135a3bec8607a8b4179ed7d4db7e2757f27

SHA256
8dd996524e007bb374523e7de202d036efb9c5e4f31cb10792d2a0797ad8b54f

SHA512
aff2a5c2beecc3db06e910f7535d5f569eff5acd021ed0e481424e9c65a2700036e97dd9bd312d493a659e297ac880da42aa8ef47c2eea13b093a1eb5cbe3906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ec424e48302240b277b1803e76e901ff

SHA1
180f93ffbc68c3d73936ff6886c26bea9e3aaf2e

SHA256
bd45eeec3b17f7b5b941b194ede146f3bd32109a8f0dea96960adc0a83ed9a31

SHA512
8118063eae41326c2cf916c0d2a2441aca0862051413f8b4cd0d79f9f16b05c45c0f3bfc758d8fc2977cc47b2c59ed6631c0898974b6c4ac0ca4b77e532adcbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0971745290de4cb39a291c6534ff5c74

SHA1
d9c4a36a2999ddbe8726f25f43ba6a9c4dba9837

SHA256
13d1fe96c1cab5c24a9454620bb9130e90e28d0825ea4e263d765b18bf6432d9

SHA512
1d387a78f5331cef64fdf235949f21cd892cc4e3713086863083b73e05b5157183429ca6368271ee58b29ba8216b3c262111eff5d2adc879edd660c1e864a73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
87433d808918ab8c0fe63ae836c80da5

SHA1
2be5605ea44ba8a4df9fdcbf46dd5fe6d8a8ee20

SHA256
3ba180b63414a61d9df9986889b204fe69f5d67540aa3b0a348f8e59d330139c

SHA512
795f2bcc632b6dd13b450f2d329bc0d3d756db2101110f59d3f53fd91eb2ef52ea7e7ab8df22675bb94abb26b54094eec3eb69dfc0f39c58679551d35da36320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
b32402c4439d905b9924083257552919

SHA1
06d04820b5d3581099be0aed12fce4437fbbb958

SHA256
f55dccb209bbe936c15dbfa5b67ba053845bcf823f4d9d6c4f16a315b5546e0a

SHA512
b3c5925a50dd93fd03e87404c3aba43c02bad717f666115e4603eba877702fd1efd6b5fde76314a757d678eb0e82ee731db6596624976850183f4b89551aa9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
b32402c4439d905b9924083257552919

SHA1
06d04820b5d3581099be0aed12fce4437fbbb958

SHA256
f55dccb209bbe936c15dbfa5b67ba053845bcf823f4d9d6c4f16a315b5546e0a

SHA512
b3c5925a50dd93fd03e87404c3aba43c02bad717f666115e4603eba877702fd1efd6b5fde76314a757d678eb0e82ee731db6596624976850183f4b89551aa9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
b32402c4439d905b9924083257552919

SHA1
06d04820b5d3581099be0aed12fce4437fbbb958

SHA256
f55dccb209bbe936c15dbfa5b67ba053845bcf823f4d9d6c4f16a315b5546e0a

SHA512
b3c5925a50dd93fd03e87404c3aba43c02bad717f666115e4603eba877702fd1efd6b5fde76314a757d678eb0e82ee731db6596624976850183f4b89551aa9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
de5a0bde66144162e936baad520a7984

SHA1
009274aa828db03419d8333641071013b35f5d62

SHA256
ac050f7d0edf5e063868c7da17599d966f8052c17ce3f96b0654dcc89f41b078

SHA512
107314094d69041fd0b80ab8bd2ecac3ec8375dce7b3691e5f8a8c54418a75955e4122a8dcdee5b57f35ca0073f326a6e0afcb62727ac38097433444b849818e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1fac48cb816ee9d2a4c9881436a0f5ed

SHA1
5ed4b46935ae07ad8448842caeb4c6afb6202a3c

SHA256
f207b83a2c19262c5adaee2d5c9ae8c834df39e6f59fd893da884dde2a3da421

SHA512
77100057604f46d01b000748a39c95a4cbde99d23eb1d6f61c4213339110e62048b28d4e1578e5c58292502fe66235d878363fd98c2fa04e6d0cf487c1c723d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7347e28336d7b56420907511ba215626

SHA1
ea11e65c78927016f18328b91f95fec8aa815f47

SHA256
33cd92f01c6121b99dec8a20be004219c35e20e71787dd789b9a5ec35778cccb

SHA512
bb165cd6bfc9a44df52387da93c1dff8a63948de091440cc5f0b21f9f66e720a02a4d4f45b82bab01820aba18578fd3039e6ca90315d4be2bb24de1f52929ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72b89c3a-c1b0-4d43-8df4-957f65c84e02\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff1ec9ca-5471-49ff-b657-d34a7d6e9f8a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
memory/64-279-0x0000000000000000-mapping.dmp

Download
memory/512-118-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/512-119-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/512-120-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/512-163-0x0000000008830000-0x0000000008831000-memory.dmp

Filesize
4KB

Download
memory/512-117-0x0000000002B50000-0x0000000002BBE000-memory.dmp

Filesize
440KB

Download
memory/512-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/512-116-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/688-156-0x00000000009E2000-0x00000000009E3000-memory.dmp

Filesize
4KB

Download
memory/688-150-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/688-258-0x00000000009E3000-0x00000000009E4000-memory.dmp

Filesize
4KB

Download
memory/688-127-0x0000000000000000-mapping.dmp

Download
memory/780-126-0x0000000000000000-mapping.dmp

Download
memory/780-147-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/780-139-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/780-144-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/780-262-0x00000000070A3000-0x00000000070A4000-memory.dmp

Filesize
4KB

Download
memory/780-256-0x000000007E3F0000-0x000000007E3F1000-memory.dmp

Filesize
4KB

Download
memory/780-158-0x00000000070A2000-0x00000000070A3000-memory.dmp

Filesize
4KB

Download
memory/856-259-0x00000000073E3000-0x00000000073E4000-memory.dmp

Filesize
4KB

Download
memory/856-188-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/856-182-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/856-128-0x0000000000000000-mapping.dmp

Download
memory/856-195-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/856-153-0x00000000073E2000-0x00000000073E3000-memory.dmp

Filesize
4KB

Download
memory/856-192-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/856-164-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/856-244-0x000000007F7C0000-0x000000007F7C1000-memory.dmp

Filesize
4KB

Download
memory/1252-292-0x0000000000000000-mapping.dmp

Download
memory/1524-222-0x0000000000000000-mapping.dmp

Download
memory/1524-231-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/1524-233-0x0000000006922000-0x0000000006923000-memory.dmp

Filesize
4KB

Download
memory/1704-124-0x0000000000000000-mapping.dmp

Download
memory/1704-133-0x0000000000000000-mapping.dmp

Download
memory/1704-174-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2396-255-0x000000007EC60000-0x000000007EC61000-memory.dmp

Filesize
4KB

Download
memory/2396-129-0x0000000000000000-mapping.dmp

Download
memory/2396-261-0x0000000004613000-0x0000000004614000-memory.dmp

Filesize
4KB

Download
memory/2396-168-0x0000000004612000-0x0000000004613000-memory.dmp

Filesize
4KB

Download
memory/2396-161-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2444-121-0x0000000000000000-mapping.dmp

Download
memory/2704-218-0x0000000000000000-mapping.dmp

Download
memory/2704-226-0x0000000004572000-0x0000000004573000-memory.dmp

Filesize
4KB

Download
memory/2704-223-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2708-210-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/2708-205-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/2708-245-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

Filesize
4KB

Download
memory/2708-266-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/2708-136-0x0000000000000000-mapping.dmp

Download
memory/2804-178-0x0000000004572000-0x0000000004573000-memory.dmp

Filesize
4KB

Download
memory/2804-130-0x0000000000000000-mapping.dmp

Download
memory/2804-264-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/2804-251-0x0000000004573000-0x0000000004574000-memory.dmp

Filesize
4KB

Download
memory/2804-170-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2840-240-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/2840-230-0x0000000000000000-mapping.dmp

Download
memory/2840-235-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3384-296-0x0000000000000000-mapping.dmp

Download
memory/4144-211-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/4144-143-0x0000000000000000-mapping.dmp

Download
memory/4144-248-0x000000007EA50000-0x000000007EA51000-memory.dmp

Filesize
4KB

Download
memory/4144-206-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4144-254-0x0000000004543000-0x0000000004544000-memory.dmp

Filesize
4KB

Download
memory/4180-219-0x0000000000000000-mapping.dmp

Download
memory/4180-228-0x0000000004222000-0x0000000004223000-memory.dmp

Filesize
4KB

Download
memory/4180-225-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/4232-268-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/4232-216-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/4232-215-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4232-247-0x000000007F560000-0x000000007F561000-memory.dmp

Filesize
4KB

Download
memory/4232-151-0x0000000000000000-mapping.dmp

Download
memory/4688-189-0x0000000000000000-mapping.dmp

Download
memory/4848-224-0x0000000000000000-mapping.dmp

Download
memory/4848-237-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4848-238-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/4860-229-0x0000000000000000-mapping.dmp

Download
memory/4860-234-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/4860-236-0x0000000002F62000-0x0000000002F63000-memory.dmp

Filesize
4KB

Download
memory/4884-209-0x0000000000000000-mapping.dmp

Download
memory/4888-227-0x0000000000000000-mapping.dmp

Download
memory/4888-232-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/4888-239-0x0000000007422000-0x0000000007423000-memory.dmp

Filesize
4KB

Download
memory/5096-217-0x0000000000000000-mapping.dmp

Download
memory/5096-220-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/5096-221-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/5440-249-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/5440-241-0x0000000000000000-mapping.dmp

Download
memory/5440-265-0x0000000006722000-0x0000000006723000-memory.dmp

Filesize
4KB

Download
memory/5480-267-0x0000000006552000-0x0000000006553000-memory.dmp

Filesize
4KB

Download
memory/5480-242-0x0000000000000000-mapping.dmp

Download
memory/5480-250-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/5524-243-0x0000000000000000-mapping.dmp

Download
memory/5524-253-0x00000000042D2000-0x00000000042D3000-memory.dmp

Filesize
4KB

Download
memory/5524-252-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/5532-280-0x0000000000000000-mapping.dmp

Download
memory/5728-297-0x0000000000000000-mapping.dmp

Download
memory/5748-277-0x0000000000000000-mapping.dmp

Download
memory/5836-278-0x0000000000000000-mapping.dmp

Download
memory/5876-257-0x0000000000000000-mapping.dmp

Download
memory/5876-269-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/5876-270-0x0000000006732000-0x0000000006733000-memory.dmp

Filesize
4KB

Download
memory/5908-276-0x0000000000000000-mapping.dmp

Download
memory/5912-275-0x0000000000000000-mapping.dmp

Download
memory/5912-281-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/5912-282-0x00000000067B2000-0x00000000067B3000-memory.dmp

Filesize
4KB

Download
memory/5936-272-0x0000000004192000-0x0000000004193000-memory.dmp

Filesize
4KB

Download
memory/5936-260-0x0000000000000000-mapping.dmp

Download
memory/5936-271-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/5992-274-0x0000000007372000-0x0000000007373000-memory.dmp

Filesize
4KB

Download
memory/5992-273-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/5992-263-0x0000000000000000-mapping.dmp

Download
memory/6300-291-0x0000000000000000-mapping.dmp

Download
memory/6432-283-0x0000000000000000-mapping.dmp

Download
memory/6480-284-0x0000000000000000-mapping.dmp

Download
memory/6500-285-0x0000000000000000-mapping.dmp

Download
memory/6540-286-0x0000000000000000-mapping.dmp

Download
memory/6564-287-0x0000000000000000-mapping.dmp

Download
memory/6616-288-0x0000000000000000-mapping.dmp

Download
memory/6660-290-0x0000000000000000-mapping.dmp

Download
memory/6996-315-0x0000000000000000-mapping.dmp

Download
memory/7016-327-0x0000000000000000-mapping.dmp

Download
memory/7220-299-0x0000000000000000-mapping.dmp

Download
memory/7412-302-0x0000000000000000-mapping.dmp

Download
memory/7476-304-0x0000000000000000-mapping.dmp

Download
memory/7548-305-0x0000000000000000-mapping.dmp

Download
memory/7556-314-0x0000000000000000-mapping.dmp

Download
memory/7608-306-0x0000000000000000-mapping.dmp

Download
memory/7692-307-0x0000000000000000-mapping.dmp

Download
memory/7792-308-0x0000000000000000-mapping.dmp

Download
memory/8084-313-0x0000000000000000-mapping.dmp

Download
memory/8456-317-0x0000000000000000-mapping.dmp

Download
memory/8488-318-0x0000000000000000-mapping.dmp

Download
memory/8500-319-0x0000000000000000-mapping.dmp

Download
memory/8556-320-0x0000000000000000-mapping.dmp

Download
memory/8576-321-0x0000000000000000-mapping.dmp

Download
memory/8656-322-0x0000000000000000-mapping.dmp

Download
memory/9124-325-0x0000000000000000-mapping.dmp

Download
memory/9180-326-0x0000000000000000-mapping.dmp

Download
memory/9560-331-0x0000000000000000-mapping.dmp

Download