asyncrat | 11dba92af0462cb18ac9c9ed81f104530819287f32be261915b706f83f6e04ad

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9731acc2acbf8329ae69f9d7d50e1998.exe
Size

484KB
MD5

9731acc2acbf8329ae69f9d7d50e1998
SHA1

9d99415d1675f423ebd82551ba1aee7acdccab58
SHA256

11dba92af0462cb18ac9c9ed81f104530819287f32be261915b706f83f6e04ad
SHA512

03bb2f6731916fb4d3e75edb4b6ec34479b5f76b32028900105e63a58a8be6e9c5a5952e79f73f2c05687c31baa25b5e09ff86614986b6da9f31f47546cc86ae

Score

10^/10

asyncrat bitrat 3 persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

217.64.149.93:1973

Mutex

df4Rtg34dFt5ynrew

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-119-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1660-120-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1660-118-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1660-121-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1660-122-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/1660-123-0x000000000068A488-mapping.dmp	family_bitrat
behavioral1/memory/1660-125-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/596-73-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/596-74-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/596-75-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/596-76-0x000000000040C6BE-mapping.dmp	asyncrat
behavioral1/memory/596-81-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/596-84-0x0000000000850000-0x000000000086B000-memory.dmp	asyncrat

Executes dropped EXE 4 IoCs

Processes:

RegAsm.exengwmdf.exeInstallUtil.exeInstallUtil.exe

pid process

596 RegAsm.exe
1052 ngwmdf.exe
1580 InstallUtil.exe
1660 InstallUtil.exe
Loads dropped DLL 5 IoCs

Processes:

9731acc2acbf8329ae69f9d7d50e1998.exeRegAsm.exepowershell.exengwmdf.exe

pid process

524 9731acc2acbf8329ae69f9d7d50e1998.exe
596 RegAsm.exe
1728 powershell.exe
1052 ngwmdf.exe
1052 ngwmdf.exe

pid	process
596	RegAsm.exe
1052	ngwmdf.exe
1580	InstallUtil.exe
1660	InstallUtil.exe

pid	process
524	9731acc2acbf8329ae69f9d7d50e1998.exe
596	RegAsm.exe
1728	powershell.exe
1052	ngwmdf.exe
1052	ngwmdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9731acc2acbf8329ae69f9d7d50e1998.exengwmdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\tRgk = "\"C:\\Users\\Admin\\AppData\\Roaming\\tRgk.exe\""	9731acc2acbf8329ae69f9d7d50e1998.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\rmk = "\"C:\\Users\\Admin\\AppData\\Roaming\\rmk.exe\""	ngwmdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

InstallUtil.exe

pid process

1660 InstallUtil.exe
1660 InstallUtil.exe
1660 InstallUtil.exe
1660 InstallUtil.exe
1660 InstallUtil.exe

pid	process
1660	InstallUtil.exe
1660	InstallUtil.exe
1660	InstallUtil.exe
1660	InstallUtil.exe
1660	InstallUtil.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9731acc2acbf8329ae69f9d7d50e1998.exengwmdf.exe

description	pid	process	target process
PID 524 set thread context of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 1052 set thread context of 1660	1052	ngwmdf.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exe9731acc2acbf8329ae69f9d7d50e1998.exepowershell.exeRegAsm.exepowershell.exepowershell.exengwmdf.exe

pid	process
1696	powershell.exe
1552	powershell.exe
524	9731acc2acbf8329ae69f9d7d50e1998.exe
524	9731acc2acbf8329ae69f9d7d50e1998.exe
1728	powershell.exe
596	RegAsm.exe
1728	powershell.exe
1728	powershell.exe
1520	powershell.exe
304	powershell.exe
1052	ngwmdf.exe
1052	ngwmdf.exe
1052	ngwmdf.exe
1052	ngwmdf.exe
1052	ngwmdf.exe
1052	ngwmdf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe9731acc2acbf8329ae69f9d7d50e1998.exeRegAsm.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1696	powershell.exe
Token: SeSecurityPrivilege	1696	powershell.exe
Token: SeTakeOwnershipPrivilege	1696	powershell.exe
Token: SeLoadDriverPrivilege	1696	powershell.exe
Token: SeSystemProfilePrivilege	1696	powershell.exe
Token: SeSystemtimePrivilege	1696	powershell.exe
Token: SeProfSingleProcessPrivilege	1696	powershell.exe
Token: SeIncBasePriorityPrivilege	1696	powershell.exe
Token: SeCreatePagefilePrivilege	1696	powershell.exe
Token: SeBackupPrivilege	1696	powershell.exe
Token: SeRestorePrivilege	1696	powershell.exe
Token: SeShutdownPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeSystemEnvironmentPrivilege	1696	powershell.exe
Token: SeRemoteShutdownPrivilege	1696	powershell.exe
Token: SeUndockPrivilege	1696	powershell.exe
Token: SeManageVolumePrivilege	1696	powershell.exe
Token: 33	1696	powershell.exe
Token: 34	1696	powershell.exe
Token: 35	1696	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeIncreaseQuotaPrivilege	1552	powershell.exe
Token: SeSecurityPrivilege	1552	powershell.exe
Token: SeTakeOwnershipPrivilege	1552	powershell.exe
Token: SeLoadDriverPrivilege	1552	powershell.exe
Token: SeSystemProfilePrivilege	1552	powershell.exe
Token: SeSystemtimePrivilege	1552	powershell.exe
Token: SeProfSingleProcessPrivilege	1552	powershell.exe
Token: SeIncBasePriorityPrivilege	1552	powershell.exe
Token: SeCreatePagefilePrivilege	1552	powershell.exe
Token: SeBackupPrivilege	1552	powershell.exe
Token: SeRestorePrivilege	1552	powershell.exe
Token: SeShutdownPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeSystemEnvironmentPrivilege	1552	powershell.exe
Token: SeRemoteShutdownPrivilege	1552	powershell.exe
Token: SeUndockPrivilege	1552	powershell.exe
Token: SeManageVolumePrivilege	1552	powershell.exe
Token: 33	1552	powershell.exe
Token: 34	1552	powershell.exe
Token: 35	1552	powershell.exe
Token: SeDebugPrivilege	524	9731acc2acbf8329ae69f9d7d50e1998.exe
Token: SeDebugPrivilege	596	RegAsm.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1520	powershell.exe
Token: SeSecurityPrivilege	1520	powershell.exe
Token: SeTakeOwnershipPrivilege	1520	powershell.exe
Token: SeLoadDriverPrivilege	1520	powershell.exe
Token: SeSystemProfilePrivilege	1520	powershell.exe
Token: SeSystemtimePrivilege	1520	powershell.exe
Token: SeProfSingleProcessPrivilege	1520	powershell.exe
Token: SeIncBasePriorityPrivilege	1520	powershell.exe
Token: SeCreatePagefilePrivilege	1520	powershell.exe
Token: SeBackupPrivilege	1520	powershell.exe
Token: SeRestorePrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeSystemEnvironmentPrivilege	1520	powershell.exe
Token: SeRemoteShutdownPrivilege	1520	powershell.exe
Token: SeUndockPrivilege	1520	powershell.exe
Token: SeManageVolumePrivilege	1520	powershell.exe
Token: 33	1520	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

InstallUtil.exe

pid process

1660 InstallUtil.exe
1660 InstallUtil.exe

pid	process
1660	InstallUtil.exe
1660	InstallUtil.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

9731acc2acbf8329ae69f9d7d50e1998.exeRegAsm.execmd.exepowershell.exengwmdf.exe

description	pid	process	target process
PID 524 wrote to memory of 1696	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1696	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1696	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1696	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1552	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1552	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1552	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 1552	524	9731acc2acbf8329ae69f9d7d50e1998.exe	powershell.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 524 wrote to memory of 596	524	9731acc2acbf8329ae69f9d7d50e1998.exe	RegAsm.exe
PID 596 wrote to memory of 840	596	RegAsm.exe	cmd.exe
PID 596 wrote to memory of 840	596	RegAsm.exe	cmd.exe
PID 596 wrote to memory of 840	596	RegAsm.exe	cmd.exe
PID 596 wrote to memory of 840	596	RegAsm.exe	cmd.exe
PID 840 wrote to memory of 1728	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1728	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1728	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1728	840	cmd.exe	powershell.exe
PID 1728 wrote to memory of 1052	1728	powershell.exe	ngwmdf.exe
PID 1728 wrote to memory of 1052	1728	powershell.exe	ngwmdf.exe
PID 1728 wrote to memory of 1052	1728	powershell.exe	ngwmdf.exe
PID 1728 wrote to memory of 1052	1728	powershell.exe	ngwmdf.exe
PID 1052 wrote to memory of 1520	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 1520	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 1520	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 1520	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 304	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 304	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 304	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 304	1052	ngwmdf.exe	powershell.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1580	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe
PID 1052 wrote to memory of 1660	1052	ngwmdf.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\9731acc2acbf8329ae69f9d7d50e1998.exe
"C:\Users\Admin\AppData\Local\Temp\9731acc2acbf8329ae69f9d7d50e1998.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe"'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe
"C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:304

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
6⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe
MD5
9ca55d38876ba606e1d322eddb97eb3a

SHA1
0c0575292703ca0b07e512c3b6613e4e776e7d11

SHA256
5e949d278af13122d7dcf70722f612f2772ca6781a50f529da23db220d80fe0f

SHA512
c71c60df7e106daf578b9a43826acaa62dccbba866043d511ce5ce8c85d99483c82ef001bc5f2100aba3080af444bedfb3729c65a37e1025eb6ce91cc1be0b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngwmdf.exe
MD5
9ca55d38876ba606e1d322eddb97eb3a

SHA1
0c0575292703ca0b07e512c3b6613e4e776e7d11

SHA256
5e949d278af13122d7dcf70722f612f2772ca6781a50f529da23db220d80fe0f

SHA512
c71c60df7e106daf578b9a43826acaa62dccbba866043d511ce5ce8c85d99483c82ef001bc5f2100aba3080af444bedfb3729c65a37e1025eb6ce91cc1be0b03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a4a5e44b11714c0f208886537fc0f0da

SHA1
12b6efda345b28ec67e3cb684a85a958f905da49

SHA256
2b59132a8f5d45239e9eaa7167f484f31bbd049e808ff63b7476c6cc9b05c70e

SHA512
93da5ecbfc3077aab6d8d97dcf7a3dbaab07cbfffcce04ae51ada51f7782b243c9b9af4de73f5c9a621da96377ba2f85094ab2a96e723bfc73f29c141124a8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a4a5e44b11714c0f208886537fc0f0da

SHA1
12b6efda345b28ec67e3cb684a85a958f905da49

SHA256
2b59132a8f5d45239e9eaa7167f484f31bbd049e808ff63b7476c6cc9b05c70e

SHA512
93da5ecbfc3077aab6d8d97dcf7a3dbaab07cbfffcce04ae51ada51f7782b243c9b9af4de73f5c9a621da96377ba2f85094ab2a96e723bfc73f29c141124a8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3646683715086dd371714576dd2aba1b

SHA1
943dc8aaa247a96240cf6e4d8684a5041434fd3c

SHA256
68e4f615f0c7aa93af79e4dad31db129b62aa0ce667c5d315af3a148d83380b2

SHA512
7d7f9b981246e7dfc9024d1f5eba98fe4fb31c7ad91b0bb6a554a4ee30faabcfbcb4a5896124cd69de4a7a15e8eb542fb1bcd1aca0b5beec621585924b177f51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3646683715086dd371714576dd2aba1b

SHA1
943dc8aaa247a96240cf6e4d8684a5041434fd3c

SHA256
68e4f615f0c7aa93af79e4dad31db129b62aa0ce667c5d315af3a148d83380b2

SHA512
7d7f9b981246e7dfc9024d1f5eba98fe4fb31c7ad91b0bb6a554a4ee30faabcfbcb4a5896124cd69de4a7a15e8eb542fb1bcd1aca0b5beec621585924b177f51

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\ngwmdf.exe
MD5
9ca55d38876ba606e1d322eddb97eb3a

SHA1
0c0575292703ca0b07e512c3b6613e4e776e7d11

SHA256
5e949d278af13122d7dcf70722f612f2772ca6781a50f529da23db220d80fe0f

SHA512
c71c60df7e106daf578b9a43826acaa62dccbba866043d511ce5ce8c85d99483c82ef001bc5f2100aba3080af444bedfb3729c65a37e1025eb6ce91cc1be0b03

Download Submit
memory/304-104-0x0000000000000000-mapping.dmp

Download
memory/304-107-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/304-109-0x00000000024B2000-0x00000000024B4000-memory.dmp

Filesize
8KB

Download
memory/304-108-0x00000000024B1000-0x00000000024B2000-memory.dmp

Filesize
4KB

Download
memory/524-69-0x00000000047F0000-0x0000000004804000-memory.dmp

Filesize
80KB

Download
memory/524-55-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/524-68-0x0000000005210000-0x0000000005279000-memory.dmp

Filesize
420KB

Download
memory/524-58-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/524-57-0x0000000075461000-0x0000000075463000-memory.dmp

Filesize
8KB

Download
memory/596-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/596-84-0x0000000000850000-0x000000000086B000-memory.dmp

Filesize
108KB

Download
memory/596-83-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/596-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/596-76-0x000000000040C6BE-mapping.dmp

Download
memory/596-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/596-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/596-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/596-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/840-85-0x0000000000000000-mapping.dmp

Download
memory/1052-92-0x0000000000000000-mapping.dmp

Download
memory/1052-111-0x0000000006F90000-0x0000000007168000-memory.dmp

Filesize
1.8MB

Download
memory/1052-110-0x0000000006BA0000-0x0000000006DC7000-memory.dmp

Filesize
2.2MB

Download
memory/1052-94-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1052-97-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1520-103-0x00000000023D2000-0x00000000023D4000-memory.dmp

Filesize
8KB

Download
memory/1520-101-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1520-98-0x0000000000000000-mapping.dmp

Download
memory/1520-102-0x00000000023D1000-0x00000000023D2000-memory.dmp

Filesize
4KB

Download
memory/1552-67-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1552-64-0x0000000000000000-mapping.dmp

Download
memory/1660-123-0x000000000068A488-mapping.dmp

Download
memory/1660-121-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-125-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-122-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-115-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-116-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-117-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-119-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-118-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1696-63-0x00000000022B2000-0x00000000022B4000-memory.dmp

Filesize
8KB

Download
memory/1696-61-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1696-62-0x00000000022B1000-0x00000000022B2000-memory.dmp

Filesize
4KB

Download
memory/1696-59-0x0000000000000000-mapping.dmp

Download
memory/1728-86-0x0000000000000000-mapping.dmp

Download
memory/1728-90-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download