valleyrat_s2 | 0efc7a12733cab4458e5ffaec5060e2bc8269e198fe03e8b81e78fd3f923a3dd

Analysis

max time kernel
150s
max time network
143s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google aIc Browser v1.4.1.exe
Size

83.8MB
MD5

d62de6a53a4ab61def2c33c19423fe75
SHA1

24607d81474572149837d2c06b644e328997080e
SHA256

0efc7a12733cab4458e5ffaec5060e2bc8269e198fe03e8b81e78fd3f923a3dd
SHA512

b9eb33a6b082c6f193e97d65f0ea8a01b5a66a43181e3cc2d0d469aa4e72113747c531e03a3fb55ac80131547bb84def346c34a6355d0b6915b009ad1e846908
SSDEEP

1572864:gnU4QJmFhXw6H2Pso8/5Cik3D7Mg0BoQ5QzR0FT3x0YH4eJl21MyV0q0EFxrBY:gn93Flw6H2PO5CikEg0BoQLFFZ4eJYfM

Score

10^/10

valleyrat_s2 backdoor discovery execution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

27.124.40.155:18091

27.124.40.155:18092

27.124.40.155:18093

Attributes

campaign_date
2024.12. 3

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Blocklisted process makes network request 4 IoCs

flow	pid	Process
33	5476	powershell.exe
35	5476	powershell.exe
36	5476	powershell.exe
43	5476	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5108	powershell.exe
5040	powershell.exe
4068	powershell.exe
4832	powershell.exe
5476	powershell.exe
2540	powershell.exe
4072	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
5300	SGuardSvc32.exe

Loads dropped DLL 5 IoCs

pid	Process
64	Google aIc Browser v1.4.1.exe
64	Google aIc Browser v1.4.1.exe
64	Google aIc Browser v1.4.1.exe
5476	powershell.exe
64	Google aIc Browser v1.4.1.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	powershell.exe
File opened (read-only)	\??\N:	powershell.exe
File opened (read-only)	\??\D:	powershell.exe
File opened (read-only)	\??\U:	powershell.exe
File opened (read-only)	\??\W:	powershell.exe
File opened (read-only)	\??\X:	powershell.exe
File opened (read-only)	\??\G:	powershell.exe
File opened (read-only)	\??\P:	powershell.exe
File opened (read-only)	\??\T:	powershell.exe
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\L:	powershell.exe
File opened (read-only)	\??\O:	powershell.exe
File opened (read-only)	\??\S:	powershell.exe
File opened (read-only)	\??\V:	powershell.exe
File opened (read-only)	\??\Y:	powershell.exe
File opened (read-only)	\??\Z:	powershell.exe
File opened (read-only)	\??\Q:	powershell.exe
File opened (read-only)	\??\R:	powershell.exe
File opened (read-only)	\??\H:	powershell.exe
File opened (read-only)	\??\I:	powershell.exe
File opened (read-only)	\??\J:	powershell.exe
File opened (read-only)	\??\K:	powershell.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
116	tasklist.exe
1808	tasklist.exe
2112	tasklist.exe
1476	tasklist.exe
6096	tasklist.exe
2340	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Application\CheomrSetup.exe	Google aIc Browser v1.4.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edpnotify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SGuardSvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google aIc Browser v1.4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Delays execution with timeout.exe 6 IoCs

defense_evasion

pid	Process
5564	timeout.exe
1560	timeout.exe
1236	timeout.exe
1188	timeout.exe
3184	timeout.exe
1824	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	powershell.exe
5040	powershell.exe
5476	powershell.exe
5476	powershell.exe
5108	powershell.exe
5108	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
2540	powershell.exe
2540	powershell.exe
4068	powershell.exe
2540	powershell.exe
4832	powershell.exe
4832	powershell.exe
4072	powershell.exe
4832	powershell.exe
4072	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeTakeOwnershipPrivilege	5040	powershell.exe
Token: SeLoadDriverPrivilege	5040	powershell.exe
Token: SeSystemProfilePrivilege	5040	powershell.exe
Token: SeSystemtimePrivilege	5040	powershell.exe
Token: SeProfSingleProcessPrivilege	5040	powershell.exe
Token: SeIncBasePriorityPrivilege	5040	powershell.exe
Token: SeCreatePagefilePrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeRestorePrivilege	5040	powershell.exe
Token: SeShutdownPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeSystemEnvironmentPrivilege	5040	powershell.exe
Token: SeRemoteShutdownPrivilege	5040	powershell.exe
Token: SeUndockPrivilege	5040	powershell.exe
Token: SeManageVolumePrivilege	5040	powershell.exe
Token: 33	5040	powershell.exe
Token: 34	5040	powershell.exe
Token: 35	5040	powershell.exe
Token: 36	5040	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	6096	tasklist.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeIncreaseQuotaPrivilege	5108	powershell.exe
Token: SeSecurityPrivilege	5108	powershell.exe
Token: SeTakeOwnershipPrivilege	5108	powershell.exe
Token: SeLoadDriverPrivilege	5108	powershell.exe
Token: SeSystemProfilePrivilege	5108	powershell.exe
Token: SeSystemtimePrivilege	5108	powershell.exe
Token: SeProfSingleProcessPrivilege	5108	powershell.exe
Token: SeIncBasePriorityPrivilege	5108	powershell.exe
Token: SeCreatePagefilePrivilege	5108	powershell.exe
Token: SeBackupPrivilege	5108	powershell.exe
Token: SeRestorePrivilege	5108	powershell.exe
Token: SeShutdownPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeSystemEnvironmentPrivilege	5108	powershell.exe
Token: SeRemoteShutdownPrivilege	5108	powershell.exe
Token: SeUndockPrivilege	5108	powershell.exe
Token: SeManageVolumePrivilege	5108	powershell.exe
Token: 33	5108	powershell.exe
Token: 34	5108	powershell.exe
Token: 35	5108	powershell.exe
Token: 36	5108	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	116	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5476	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 5040	64	Google aIc Browser v1.4.1.exe	90
PID 64 wrote to memory of 5040	64	Google aIc Browser v1.4.1.exe	90
PID 64 wrote to memory of 5040	64	Google aIc Browser v1.4.1.exe	90
PID 64 wrote to memory of 3804	64	Google aIc Browser v1.4.1.exe	93
PID 64 wrote to memory of 3804	64	Google aIc Browser v1.4.1.exe	93
PID 64 wrote to memory of 3804	64	Google aIc Browser v1.4.1.exe	93
PID 3804 wrote to memory of 5476	3804	wscript.exe	94
PID 3804 wrote to memory of 5476	3804	wscript.exe	94
PID 3804 wrote to memory of 5476	3804	wscript.exe	94
PID 64 wrote to memory of 5300	64	Google aIc Browser v1.4.1.exe	96
PID 64 wrote to memory of 5300	64	Google aIc Browser v1.4.1.exe	96
PID 64 wrote to memory of 5300	64	Google aIc Browser v1.4.1.exe	96
PID 5300 wrote to memory of 5384	5300	SGuardSvc32.exe	97
PID 5300 wrote to memory of 5384	5300	SGuardSvc32.exe	97
PID 5300 wrote to memory of 5384	5300	SGuardSvc32.exe	97
PID 5476 wrote to memory of 6100	5476	powershell.exe	98
PID 5476 wrote to memory of 6100	5476	powershell.exe	98
PID 5476 wrote to memory of 6100	5476	powershell.exe	98
PID 6100 wrote to memory of 2804	6100	csc.exe	99
PID 6100 wrote to memory of 2804	6100	csc.exe	99
PID 6100 wrote to memory of 2804	6100	csc.exe	99
PID 5300 wrote to memory of 5384	5300	SGuardSvc32.exe	97
PID 5476 wrote to memory of 896	5476	powershell.exe	102
PID 5476 wrote to memory of 896	5476	powershell.exe	102
PID 5476 wrote to memory of 896	5476	powershell.exe	102
PID 896 wrote to memory of 6096	896	cmd.exe	103
PID 896 wrote to memory of 6096	896	cmd.exe	103
PID 896 wrote to memory of 6096	896	cmd.exe	103
PID 896 wrote to memory of 788	896	cmd.exe	104
PID 896 wrote to memory of 788	896	cmd.exe	104
PID 896 wrote to memory of 788	896	cmd.exe	104
PID 5476 wrote to memory of 1512	5476	powershell.exe	105
PID 5476 wrote to memory of 1512	5476	powershell.exe	105
PID 5476 wrote to memory of 1512	5476	powershell.exe	105
PID 1512 wrote to memory of 5108	1512	cmd.exe	107
PID 1512 wrote to memory of 5108	1512	cmd.exe	107
PID 1512 wrote to memory of 5108	1512	cmd.exe	107
PID 896 wrote to memory of 1236	896	cmd.exe	108
PID 896 wrote to memory of 1236	896	cmd.exe	108
PID 896 wrote to memory of 1236	896	cmd.exe	108
PID 5476 wrote to memory of 5036	5476	powershell.exe	109
PID 5476 wrote to memory of 5036	5476	powershell.exe	109
PID 5476 wrote to memory of 5036	5476	powershell.exe	109
PID 5036 wrote to memory of 4068	5036	cmd.exe	110
PID 5036 wrote to memory of 4068	5036	cmd.exe	110
PID 5036 wrote to memory of 4068	5036	cmd.exe	110
PID 5476 wrote to memory of 3284	5476	powershell.exe	111
PID 5476 wrote to memory of 3284	5476	powershell.exe	111
PID 5476 wrote to memory of 3284	5476	powershell.exe	111
PID 3284 wrote to memory of 2540	3284	cmd.exe	113
PID 3284 wrote to memory of 2540	3284	cmd.exe	113
PID 3284 wrote to memory of 2540	3284	cmd.exe	113
PID 5476 wrote to memory of 5868	5476	powershell.exe	114
PID 5476 wrote to memory of 5868	5476	powershell.exe	114
PID 5476 wrote to memory of 5868	5476	powershell.exe	114
PID 5868 wrote to memory of 4832	5868	cmd.exe	115
PID 5868 wrote to memory of 4832	5868	cmd.exe	115
PID 5868 wrote to memory of 4832	5868	cmd.exe	115
PID 5476 wrote to memory of 332	5476	powershell.exe	116
PID 5476 wrote to memory of 332	5476	powershell.exe	116
PID 5476 wrote to memory of 332	5476	powershell.exe	116
PID 332 wrote to memory of 4072	332	cmd.exe	118
PID 332 wrote to memory of 4072	332	cmd.exe	118
PID 332 wrote to memory of 4072	332	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\Google aIc Browser v1.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\Google aIc Browser v1.4.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Set-MpPreference -ExclusionPath C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\SysWOW64\wscript.exe
  wscript //B "C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yanzxdub\yanzxdub.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6100
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E22.tmp" "c:\Users\Admin\AppData\Local\Temp\yanzxdub\CSC6C34E01955E74297835844BEDBFDF253.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /B /c "C:\Users\Admin\AppData\Local\Temp\monitor.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:788
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1236
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1188
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3184
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1824
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5564
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 5476"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "5476"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
- C:\Users\Admin\AppData\Local\SGuardSvc32.exe
  "C:\Users\Admin\AppData\Local\SGuardSvc32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5300
- - C:\Windows\SysWOW64\edpnotify.exe
    C:\Windows\SysWOW64\edpnotify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
aa7379c1499eb6c108a7dfb7089e476d

SHA1
c75bff770b8355c0ff191ef4e81fb1ac8c23db3f

SHA256
e43a99f80dea587e6d181fbd3da464df7787d3c40c8a3e819e8ad73dae3e98ab

SHA512
2398df700beb9a7bacf1b6686658c223cf089eb8632a27a836e5a2e8d922f61db82b8569c03ccc207d00a96d9f811deb8ee8389b108475df37d30498593a4b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
160710513fa359138408bf31f002a041

SHA1
0e619a5d740401d60ecec9129d004b7a61046f5e

SHA256
aa3e56b461898b4d7a691ca1e4d99de5425d5fd02197bae64db2d0c4445e3153

SHA512
7623c03cad585359fc35ea0c32ce0277aa36fb2107cc20c21b6c7df44e9da17d5268c0df74b238b028176f324a31d32a32c13760daa168157f01a858d99837a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
ffd63827c37c57f9ed3bcbbf764492be

SHA1
25f60e0f5be1786e4f1716e851b851059092a530

SHA256
afbec4373d906c49493ebc1bc24579b2fe1a32a4d5e7c791b5a52c1476153bf8

SHA512
bfa4188a4a82b51b065a2970029f2796d7560aef5269aaf904aa2fa2bf48ae136b2190df49687d4febd103c771aaf1b4cac23ab096b923ba23f0116aaa41f098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
1d35fbe374aa58189531558c11191a5a

SHA1
5c023ecbf1d6dc5cb84e474f80520cc1048f2d56

SHA256
8d2decca75818549fcd5959fca7bf9ae9832fbfd6e1ba674d774b1e2963474e2

SHA512
d416be4c7a96445cc99d675bd78cb0de1214b8681a024574fd936b78fe25d8347ba276e18d606da638c24843b7fe285691926bf923b300ca6b99f1db8b0d9d7d

Download Submit
C:\Users\Admin\AppData\Local\Protected.ini

Filesize
207KB

MD5
ec52fa862a056975e93d2acf7889cfcf

SHA1
cc973fc28c8deb59a3c79375e1d247761356874c

SHA256
6489e9e620d90228b431544d990a99d1c94ab7f8e68b2daae5e396cf1759bfec

SHA512
8e68f6338ddff7abae22d568fbb6a4dc9d4a30e11b1c4d47a3b06496036a3b0437576d681b801114734a53bfcaea48cdd789061ca7d44a0a4fd71384da765a71

Download Submit
C:\Users\Admin\AppData\Local\Protected.json

Filesize
194KB

MD5
f5088d8e9f74af65dfce439c91ce5fda

SHA1
a5b87c273bdf258e746e6e21789e3033cd3eecfb

SHA256
459b001e277302d93177a59500f1fa99af2c02354ff296612406055ec62df45f

SHA512
f33751016a8ebc961ca979885212f8a7b47ebc8d6b610274f38e06908341ec38393f6b1eac6df412f45b66014254a73b53775ed19f929a7d3b38a62cc8a24f45

Download Submit
C:\Users\Admin\AppData\Local\SGuardSvc32.exe

Filesize
725KB

MD5
923b08492146a6a3b8bd269eb25f6372

SHA1
e263b5265abeae655f0ef5000196dbb80c6eca9b

SHA256
2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480

SHA512
6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E22.tmp

Filesize
1KB

MD5
15e0a34a28f5405044f72669b57cad62

SHA1
6121b9f90730100f4af6725a3a959dd0fb9719d8

SHA256
0056673208a35613c3b9b31fc2c5f4c012cc9bb5b212a0cb65791fe4ac290cb0

SHA512
f57f4ff9701c00b6a60b010aad91c58a354a2726c1b92f3c4e21106f40cdeaf54a2976dfb9a2ae2b1c35d78b03e9cf0a1d0ca2149b06897aca23371218121de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4h4l51v5.1h5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.bat

Filesize
308B

MD5
f228f13dbde97578c2b622137fdee789

SHA1
1fe68592840fe03e88a181fbceca932826e9ff69

SHA256
61220af764ee8d7c326e4c77f66e97adf93d469c7d21c0490b377838d0d5aefd

SHA512
250b12c800a427ec11dcb125b573c2c304cd570f32acc5faf285d0cf43198eb7d886c44fe2ff9a87977e8b53ee239577530ce232a38db4879959755bc4703cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA336.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA336.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA336.tmp\ioSpecial.ini

Filesize
1KB

MD5
a73abc883dcd3866079c62d3b4e0943d

SHA1
cae4d3261f412ae3f27ccf00463d91db22bb0312

SHA256
7fdf40dc3d22a60a254cd0bc7ce1c1048719e690e3fdea9df43bfd814cdd5066

SHA512
2c33e545da0411994055d750bc6c76e9b2067f64e4c9b696869d022332099738b134cc8621bac2fc2222aee5e8ee879f9e43d5c889c190c198167f79171310a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA336.tmp\ioSpecial.ini

Filesize
1KB

MD5
1f0c99529ce14b56feeaf5893c99cbbe

SHA1
b51c18fc1c8b7a9a97c277ca40063f6a60cc1b76

SHA256
e54bbd455035d2a46fa58ac9c393feacfe82ec5163289d3452fb4ad655a9b198

SHA512
1c8cf8f26f57db8008460035b347cbb16b97a1622f0ba0fe82b598d3a73a78843d015a3c9b837fdae4916874451b532fa548eb34e60684aba6c93506e19142c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA336.tmp\nsExec.dll

Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\target.pid

Filesize
4B

MD5
9ba82616fac74de9ce334ea7532cfddc

SHA1
9fc350985c27737c00626ca5428a720d77ae7bed

SHA256
e5ac171853c6de5edbe75c682327d5c4fb9dcc399943f992ea50bb4eb82da3b8

SHA512
05d5b757dbb5aaf4dd01bc44386d3efd63caaaa4ef1d73a18657be31de5d193614aea18f72f682975d679045455364fa18ee2cf9c85408cd68bc9ca39be750eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yanzxdub\yanzxdub.dll

Filesize
3KB

MD5
0a81feb6f2a4e0467f10b009eb420e8b

SHA1
da9245afcfc480af9aac00921c784e8ada85f420

SHA256
3d24de1a2fbfb50dd8ebf89644ccac22f3d1855c49408040075f25c992d558fb

SHA512
e5f91a68d1565886e9837862bf7cf6849db5f1a6f8bd5aee0becc1ddb1c28e1c1c79983ae5817f4f90cb653cf680d68ba68e8381df351e0608474c96b4536e0e

Download Submit
C:\Users\Admin\AppData\Local\updated.ps1

Filesize
221B

MD5
9b111b45096065d52a01747528eed794

SHA1
6b54320b17f2f26dfdf07b0e3d1dcf9bc98a42c6

SHA256
77ef6e260b031433d6e78bd885166896649ed1289bb65ed2cd1343424583e305

SHA512
3b067d8ed3a61816e09248817a3f326203dce5619a1e4a6aa007f7cc8e18f89609a0c128e2a8c03762d3107c21f13388bf3be5ea6e2120ed3f1d2a2623a773cf

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\Config.ini

Filesize
565KB

MD5
35e1593ae2b6e6a06e66baf4ba10a789

SHA1
a0e18d267a8f5df85660a2910e8ecb38e694ac47

SHA256
bee44653a83ec183338d0a8654565c5f519ebe05158d62cb16b5969d809022a7

SHA512
435a23ede1a968f30a0640acaf53dd95a1b752e34f2490c0b98a01339e425904e9f59df9c849c16331a1a6082d153cf14d951e1ebbc2b6b3dda7148b0a24d30e

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs

Filesize
296B

MD5
a6358b8bd98902002cbc1465bf276f01

SHA1
dfcb4633d17d8a15588d34a34cb6328a33e555c1

SHA256
3e5bec0f2a7b1b3c4d921580d0028fb6807b0589ca8d3496070d39c485ed91fc

SHA512
0024b856b828b37a275840157de7322d5713bc1136f5920dcd2684a37e0612c1c8823c15544bb5db8333a37821a38c83c6f587548fb551f13102cb3037eec469

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1

Filesize
1KB

MD5
959f4437520cc2aaa4752bfac7f2a7e2

SHA1
2d7097adac09c6c6a5dd330ff66a893ac5147bcf

SHA256
d3b3135e1321bcd24ccfc6fb2dc4be7531fc8740db10ee1ec5edae086603403b

SHA512
9fe9c40828798b12129d20add9f65620284c23e94475bbf6d1583034528e6e61147dd1fa2b9f36c3aaf6fd30f312eb1605e3d7a89fc7846f9f4db9ca807410e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yanzxdub\CSC6C34E01955E74297835844BEDBFDF253.TMP

Filesize
652B

MD5
79783c83d377dbe56ef23a1433062a6d

SHA1
739fd3f6c6f6dcc771745f341add9026f533f895

SHA256
a1a7bef15dc0d390f4c1b10ff42f31e56b7450a7a70bcc19a6316534148af1eb

SHA512
0d9c057bbe7a27639873a871ca7c61f7b5842bb023caa9122032979720cce133d43e3b034dba9eedf115039280b56cc267f556996ccba4b62560a2bc4b1a7e24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yanzxdub\yanzxdub.0.cs

Filesize
266B

MD5
c09bbaf83f7558f61a7235b2860d45d1

SHA1
ab169ea364e917f698a69a760b3aceec33a6b209

SHA256
aa7ae06461aae58bb22b9c54bf79a1b42e153985f7cc9612bf02439204819d5c

SHA512
5b2e56406f1d620d2aa4fcfe7e2d824e583657e452b4a9cbf5be64d26d3050e9adf9ea4f1ec395eb514c05530eea5a3edb9b57b71fc34523136ad751675c52db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yanzxdub\yanzxdub.cmdline

Filesize
369B

MD5
414c9d761c7793ffef21b39bf2b1b0ad

SHA1
5c34df3214707a8d764fd77f2ab549b9bd2ae46f

SHA256
349ef406498f8a5739f6fe5c7abf04779c1cb3c1493f467ba085bd45948877ff

SHA512
bd6cef9c159401214afbaa53d73356ffd7fbccce28b5fa893a4ba577a9bdb3f5880b41530c038b1bdf1adc9ebccf6ad4eb1bcdab45d06e87f110f4cb2165d6ad

Download Submit
memory/2540-333-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/2540-334-0x0000000070280000-0x00000000705D7000-memory.dmp

Filesize
3.3MB

Download
memory/4068-309-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/4068-320-0x0000000007540000-0x0000000007551000-memory.dmp

Filesize
68KB

Download
memory/4072-384-0x0000000070280000-0x00000000705D7000-memory.dmp

Filesize
3.3MB

Download
memory/4072-383-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/4832-362-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/5040-90-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/5040-123-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/5040-120-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/5040-85-0x000000007366E000-0x000000007366F000-memory.dmp

Filesize
4KB

Download
memory/5040-118-0x0000000007870000-0x0000000007913000-memory.dmp

Filesize
652KB

Download
memory/5040-88-0x00000000058C0000-0x0000000005F8A000-memory.dmp

Filesize
6.8MB

Download
memory/5040-119-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5040-117-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5040-104-0x0000000007820000-0x0000000007852000-memory.dmp

Filesize
200KB

Download
memory/5040-105-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5040-106-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/5040-116-0x0000000006C30000-0x0000000006C4E000-memory.dmp

Filesize
120KB

Download
memory/5040-124-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5040-89-0x0000000005610000-0x0000000005632000-memory.dmp

Filesize
136KB

Download
memory/5040-103-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/5040-87-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5040-121-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/5040-102-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/5040-101-0x0000000006170000-0x00000000064C7000-memory.dmp

Filesize
3.3MB

Download
memory/5040-86-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/5040-122-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/5040-91-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/5040-127-0x0000000073660000-0x0000000073E11000-memory.dmp

Filesize
7.7MB

Download
memory/5108-297-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/5108-307-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/5300-157-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/5384-187-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/5384-186-0x0000000001280000-0x00000000012B4000-memory.dmp

Filesize
208KB

Download
memory/5476-410-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download
memory/5476-148-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/5476-176-0x0000000007050000-0x0000000007058000-memory.dmp

Filesize
32KB

Download
memory/5476-272-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/5476-265-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/5476-145-0x0000000005660000-0x00000000059B7000-memory.dmp

Filesize
3.3MB

Download
memory/5476-181-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/5476-319-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/5476-155-0x0000000007580000-0x0000000007B26000-memory.dmp

Filesize
5.6MB

Download
memory/5476-399-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/5476-400-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-406-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-408-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-407-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-409-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-154-0x0000000006E90000-0x0000000006EB2000-memory.dmp

Filesize
136KB

Download
memory/5476-411-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download
memory/5476-412-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download
memory/5476-413-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download
memory/5476-414-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-415-0x0000000004950000-0x0000000004974000-memory.dmp

Filesize
144KB

Download
memory/5476-417-0x0000000006010000-0x0000000006075000-memory.dmp

Filesize
404KB

Download
memory/5476-416-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download
memory/5476-431-0x0000000007E50000-0x0000000007E88000-memory.dmp

Filesize
224KB

Download