asyncrat | dcf06da768b714ec1af94d58e4f9c6125a2f45dc269aaa7cede67c7ea528dc99

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe
Size

1.9MB
MD5

1f2be558a74cb83afab86147e70d87d6
SHA1

67aa1ef5fca4e3e720feb6080d0f1ac20b503b26
SHA256

4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8
SHA512

5f8af4ea3bd3a5078b91d086ef1d4d1a9d88f2065621eb76ce21573e02144deab5f6e33d65a0525caff1387e5bbfa1ea4bb3f288e60045efcf7a82d5f57e87a9
SSDEEP

49152:33X/qQfkYzgrW/r1DNKHOkjSKwgRVRm9SMHGVa52a:nTfccDMRSKTVRmQi3

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

27.124.4.150:51311

Mutex

owgonhhweps

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/3772-81-0x0000000002A10000-0x0000000002A22000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3772-81-0x0000000002A10000-0x0000000002A22000-memory.dmp	family_asyncrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	4800	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp

Executes dropped EXE 6 IoCs

pid	Process
4964	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
216	msedgewebview2.exe
4320	msedgewebview2.exe
376	msedgewebview2.exe
2476	msedgewebview2.exe

Loads dropped DLL 15 IoCs

pid	Process
216	msedgewebview2.exe
4320	msedgewebview2.exe
3772	regsvr32.exe
376	msedgewebview2.exe
4060	regsvr32.exe
812	regsvr32.exe
3656	regsvr32.exe
5024	regsvr32.exe
4628	regsvr32.exe
2476	msedgewebview2.exe
2224	regsvr32.exe
4108	regsvr32.exe
1804	regsvr32.exe
4612	regsvr32.exe
636	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1812	powershell.exe
1864	powershell.exe
3988	powershell.exe
752	powershell.exe
624	powershell.exe
4040	powershell.exe
3844	powershell.exe
4572	powershell.exe
3780	powershell.exe
4648	powershell.exe
264	powershell.exe
3796	powershell.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

discovery

Process Discovery

T1057

pid	Process
1984	tasklist.exe
2128	tasklist.exe
2188	tasklist.exe
1016	tasklist.exe
428	tasklist.exe
4564	tasklist.exe
3076	tasklist.exe
3252	tasklist.exe
2972	tasklist.exe
3396	tasklist.exe
3740	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1608	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
264	powershell.exe
264	powershell.exe
752	powershell.exe
752	powershell.exe
3772	regsvr32.exe
3772	regsvr32.exe
3772	regsvr32.exe
3772	regsvr32.exe
3772	regsvr32.exe
3772	regsvr32.exe
624	powershell.exe
624	powershell.exe
3796	powershell.exe
3796	powershell.exe
4040	powershell.exe
4040	powershell.exe
1812	powershell.exe
1812	powershell.exe
3844	powershell.exe
3844	powershell.exe
3772	regsvr32.exe
3772	regsvr32.exe
3772	regsvr32.exe
4572	powershell.exe
4572	powershell.exe
1864	powershell.exe
1864	powershell.exe
3780	powershell.exe
3780	powershell.exe
3988	powershell.exe
3988	powershell.exe
4648	powershell.exe
4648	powershell.exe
3772	regsvr32.exe
3772	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	powershell.exe
Token: SeIncreaseQuotaPrivilege	264	powershell.exe
Token: SeSecurityPrivilege	264	powershell.exe
Token: SeTakeOwnershipPrivilege	264	powershell.exe
Token: SeLoadDriverPrivilege	264	powershell.exe
Token: SeSystemProfilePrivilege	264	powershell.exe
Token: SeSystemtimePrivilege	264	powershell.exe
Token: SeProfSingleProcessPrivilege	264	powershell.exe
Token: SeIncBasePriorityPrivilege	264	powershell.exe
Token: SeCreatePagefilePrivilege	264	powershell.exe
Token: SeBackupPrivilege	264	powershell.exe
Token: SeRestorePrivilege	264	powershell.exe
Token: SeShutdownPrivilege	264	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeSystemEnvironmentPrivilege	264	powershell.exe
Token: SeRemoteShutdownPrivilege	264	powershell.exe
Token: SeUndockPrivilege	264	powershell.exe
Token: SeManageVolumePrivilege	264	powershell.exe
Token: 33	264	powershell.exe
Token: 34	264	powershell.exe
Token: 35	264	powershell.exe
Token: 36	264	powershell.exe
Token: SeIncreaseQuotaPrivilege	264	powershell.exe
Token: SeSecurityPrivilege	264	powershell.exe
Token: SeTakeOwnershipPrivilege	264	powershell.exe
Token: SeLoadDriverPrivilege	264	powershell.exe
Token: SeSystemProfilePrivilege	264	powershell.exe
Token: SeSystemtimePrivilege	264	powershell.exe
Token: SeProfSingleProcessPrivilege	264	powershell.exe
Token: SeIncBasePriorityPrivilege	264	powershell.exe
Token: SeCreatePagefilePrivilege	264	powershell.exe
Token: SeBackupPrivilege	264	powershell.exe
Token: SeRestorePrivilege	264	powershell.exe
Token: SeShutdownPrivilege	264	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeSystemEnvironmentPrivilege	264	powershell.exe
Token: SeRemoteShutdownPrivilege	264	powershell.exe
Token: SeUndockPrivilege	264	powershell.exe
Token: SeManageVolumePrivilege	264	powershell.exe
Token: 33	264	powershell.exe
Token: 34	264	powershell.exe
Token: 35	264	powershell.exe
Token: 36	264	powershell.exe
Token: SeIncreaseQuotaPrivilege	264	powershell.exe
Token: SeSecurityPrivilege	264	powershell.exe
Token: SeTakeOwnershipPrivilege	264	powershell.exe
Token: SeLoadDriverPrivilege	264	powershell.exe
Token: SeSystemProfilePrivilege	264	powershell.exe
Token: SeSystemtimePrivilege	264	powershell.exe
Token: SeProfSingleProcessPrivilege	264	powershell.exe
Token: SeIncBasePriorityPrivilege	264	powershell.exe
Token: SeCreatePagefilePrivilege	264	powershell.exe
Token: SeBackupPrivilege	264	powershell.exe
Token: SeRestorePrivilege	264	powershell.exe
Token: SeShutdownPrivilege	264	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeSystemEnvironmentPrivilege	264	powershell.exe
Token: SeRemoteShutdownPrivilege	264	powershell.exe
Token: SeUndockPrivilege	264	powershell.exe
Token: SeManageVolumePrivilege	264	powershell.exe
Token: 33	264	powershell.exe
Token: 34	264	powershell.exe
Token: 35	264	powershell.exe
Token: 36	264	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3772	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4964	832	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	86
PID 832 wrote to memory of 4964	832	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	86
PID 832 wrote to memory of 4964	832	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	86
PID 4964 wrote to memory of 3320	4964	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp	90
PID 4964 wrote to memory of 3320	4964	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp	90
PID 4964 wrote to memory of 3320	4964	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp	90
PID 3320 wrote to memory of 928	3320	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	91
PID 3320 wrote to memory of 928	3320	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	91
PID 3320 wrote to memory of 928	3320	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe	91
PID 928 wrote to memory of 216	928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp	92
PID 928 wrote to memory of 216	928	4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp	92
PID 216 wrote to memory of 264	216	msedgewebview2.exe	93
PID 216 wrote to memory of 264	216	msedgewebview2.exe	93
PID 216 wrote to memory of 4320	216	msedgewebview2.exe	96
PID 216 wrote to memory of 4320	216	msedgewebview2.exe	96
PID 4320 wrote to memory of 752	4320	msedgewebview2.exe	97
PID 4320 wrote to memory of 752	4320	msedgewebview2.exe	97
PID 4320 wrote to memory of 3252	4320	msedgewebview2.exe	99
PID 4320 wrote to memory of 3252	4320	msedgewebview2.exe	99
PID 4320 wrote to memory of 3772	4320	msedgewebview2.exe	101
PID 4320 wrote to memory of 3772	4320	msedgewebview2.exe	101
PID 376 wrote to memory of 624	376	msedgewebview2.exe	110
PID 376 wrote to memory of 624	376	msedgewebview2.exe	110
PID 376 wrote to memory of 2972	376	msedgewebview2.exe	112
PID 376 wrote to memory of 2972	376	msedgewebview2.exe	112
PID 376 wrote to memory of 4060	376	msedgewebview2.exe	114
PID 376 wrote to memory of 4060	376	msedgewebview2.exe	114
PID 376 wrote to memory of 3796	376	msedgewebview2.exe	115
PID 376 wrote to memory of 3796	376	msedgewebview2.exe	115
PID 376 wrote to memory of 3396	376	msedgewebview2.exe	117
PID 376 wrote to memory of 3396	376	msedgewebview2.exe	117
PID 376 wrote to memory of 812	376	msedgewebview2.exe	119
PID 376 wrote to memory of 812	376	msedgewebview2.exe	119
PID 376 wrote to memory of 4040	376	msedgewebview2.exe	120
PID 376 wrote to memory of 4040	376	msedgewebview2.exe	120
PID 376 wrote to memory of 3740	376	msedgewebview2.exe	122
PID 376 wrote to memory of 3740	376	msedgewebview2.exe	122
PID 376 wrote to memory of 3656	376	msedgewebview2.exe	124
PID 376 wrote to memory of 3656	376	msedgewebview2.exe	124
PID 376 wrote to memory of 1812	376	msedgewebview2.exe	125
PID 376 wrote to memory of 1812	376	msedgewebview2.exe	125
PID 376 wrote to memory of 2128	376	msedgewebview2.exe	127
PID 376 wrote to memory of 2128	376	msedgewebview2.exe	127
PID 376 wrote to memory of 5024	376	msedgewebview2.exe	129
PID 376 wrote to memory of 5024	376	msedgewebview2.exe	129
PID 376 wrote to memory of 3844	376	msedgewebview2.exe	130
PID 376 wrote to memory of 3844	376	msedgewebview2.exe	130
PID 376 wrote to memory of 2188	376	msedgewebview2.exe	132
PID 376 wrote to memory of 2188	376	msedgewebview2.exe	132
PID 376 wrote to memory of 4628	376	msedgewebview2.exe	134
PID 376 wrote to memory of 4628	376	msedgewebview2.exe	134
PID 2476 wrote to memory of 4572	2476	msedgewebview2.exe	141
PID 2476 wrote to memory of 4572	2476	msedgewebview2.exe	141
PID 2476 wrote to memory of 1016	2476	msedgewebview2.exe	143
PID 2476 wrote to memory of 1016	2476	msedgewebview2.exe	143
PID 2476 wrote to memory of 2224	2476	msedgewebview2.exe	145
PID 2476 wrote to memory of 2224	2476	msedgewebview2.exe	145
PID 2476 wrote to memory of 1864	2476	msedgewebview2.exe	146
PID 2476 wrote to memory of 1864	2476	msedgewebview2.exe	146
PID 2476 wrote to memory of 4564	2476	msedgewebview2.exe	148
PID 2476 wrote to memory of 4564	2476	msedgewebview2.exe	148
PID 2476 wrote to memory of 4108	2476	msedgewebview2.exe	150
PID 2476 wrote to memory of 4108	2476	msedgewebview2.exe	150
PID 2476 wrote to memory of 3780	2476	msedgewebview2.exe	151

C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe
"C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\is-0BANL.tmp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0BANL.tmp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp" /SL5="$B0050,1610660,141312,C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe
    "C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\is-Q3RH5.tmp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q3RH5.tmp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp" /SL5="$70040,1610660,141312,C:\Users\Admin\AppData\Local\Temp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\\NVIDIA app\\864\\msedgewebview2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
      - C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq regsvr32.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3252
        
        C:\Windows\system32\regsvr32.exe
        
        "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3772

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzgxM0I0QTQtNTJFNy00MTE1LUJGQjMtM0NFNEZEQTkwMjQ2fSIgdXNlcmlkPSJ7N0FFMkRDQjUtODg1Ni00RjgxLUExNjEtMTBEQUZFODBDNkIyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODgzNTE3QTItNzg3OS00MTI4LTgwNzktRkUyMDg1MDQ3MzM0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTgzODQ1Mjc0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1608

C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2972
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3396
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3740
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2128
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2188
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4628

C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1016
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4564
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3076
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:428
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1984
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ac3c9ba89b8c2ef19c601ecebb82157

SHA1
a239a4b11438c00e5ff89ebd4a804ede6a01935b

SHA256
3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

SHA512
b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3182461fe1959749f11f13e3ebf1b721

SHA1
753bd6da89365ad150d3f7dba34a8af5919385ba

SHA256
66bf7482c6adb4146f9fb804c8b083ea3a04be7e4d961664dcdd53c611d26c21

SHA512
909ce35c7cb8275098977e3cf47efd8b7e3ba475660deebfa2ce243c799455e49cdc837231e831665aacfd88c1c6c07652c2ccac7a15bc43fbc5230d8fd96772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f19e66caf9e72d58c1367e47345808b

SHA1
b42774fa029628290322c9e9b875b7e120f49116

SHA256
b86320cd6f22fbfa1950ed4e7e2b1f858d437fed3183bea25819463a1c8703ea

SHA512
9ff74e5eca7bbe0bee6e6430bf2cfca108da8107ee4116696173822c634db8a639ba8b372b95b9d8e2dfb1cb1871b022c70db96450bae851a848e375b82775a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
868936d5512a2d2665ee63f8a2d13a9f

SHA1
cc7536674df4b980dbd6660071da2e0b94f724e6

SHA256
0e49a962ef46e9d5ee8012b65059812732fc10750e4d6b7ff8e0e9b6f80663f6

SHA512
ab609e807be6a62c8e2b601e4959f65d5c21edee6c5e69e95cbb71a7eb968372f923b3ccc52e705f484b86cce0f1d94856f8153e86d29736120df0398dae784d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
247e897bc6967842b82f8bf495373c34

SHA1
4c090470ecc9d0d0475a9fdfdc4f2ff0980976bf

SHA256
d9361b03ae0e89ffcd8c364c6bc3977957a55c3990aa9fb0f63bea05a844acf3

SHA512
db6ae9fb7ec6b7137fb4ce60ffd12be2f4c086f297753345abe04272a3ba451ed70dcd8b6cbcee967d4408b225a2438750f5d0fbea7fc7a92b9c725d59b7bab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0adbfb5662c6c34a9a4a31d7b9f44e82

SHA1
b327d2b1fd441efa909491f61ef7537a78202860

SHA256
72fd4c9e71d598c9848ec7d4698b4386930733c65301309b190f4fa463846b9f

SHA512
4cc8e2f3eb964a68ddf68dcd1eca78f9201babc6e16fcb3ac745984c83fca3d6c61e83bced1981d42a7e3a791af59c1dfe7074c0e6fed0dcc98c88fd61fe6429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d2242ff9dc07b67553123b3c939974d

SHA1
ec7b42a468cdb04f1403cd18f67aa4d5af6c5a7f

SHA256
27845ed84cb47c4ba2883bdd75c0a0be7035060f6ac845ca256a391bee640716

SHA512
25b081ed892b9bc03a7f77c16d110fdc8f03d118689f9773fff258e78a65c0e94c01886e01a4ba0cf5cb7bdb0d7e1e1babb58e1db4ba2582a4e1125b80ebd0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1ioa1dr.u3g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0BANL.tmp\4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8.tmp

Filesize
1.1MB

MD5
8fdc58c7d4c59472615682d6dea9d190

SHA1
8e131fe09fd238493719b4fd92e6c833bf3596c1

SHA256
26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

SHA512
b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FIJJD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll

Filesize
792KB

MD5
49b060366422b6af60958aeb35f1eb06

SHA1
50240c19542c8a61507d169757ed91a4e801f2f5

SHA256
589715ba10dcb4ff605571fb03e3d6fd79214e659868aa36512a0bde3214283d

SHA512
f6ef75a3568aad0d302c1804acf9157ef95906b84e4e75b1f5955912eba30ecf2f7aa80600f9b9754dfc4b6f015a2607a70ad16ae80fbdea4d0ea09173c60233

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe

Filesize
3.2MB

MD5
71fdf2d301949413f8b14e0f12c2e0f5

SHA1
c57e8eff6bfc0be6420e97cfd6de895c937fd5b7

SHA256
1e7e2c05c6c634aa7f11c8c217bf9c21fbe336f128d744fbaf3fc91d643925a0

SHA512
752fe30b893a1e0a0fbd93fb91dceea2b88f5e1c067e8f780fbedcf1fd4a11ec1317d65bbc3c11086926a2d37a49e5f519c40f7d65dba335079dc2044dd53f58

Download Submit
memory/216-83-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/264-53-0x000002DB64E40000-0x000002DB64E62000-memory.dmp

Filesize
136KB

Download
memory/376-174-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/832-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/832-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/832-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/928-26-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/928-45-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2476-265-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/3320-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3320-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3320-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3772-85-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/3772-81-0x0000000002A10000-0x0000000002A22000-memory.dmp

Filesize
72KB

Download
memory/3772-271-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/4320-84-0x00007FFAED3F0000-0x00007FFAED499000-memory.dmp

Filesize
676KB

Download
memory/4964-18-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4964-7-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download