valleyrat_s2 | 9c0f551fa5e93c3f30c90d89f49d811296f84cdb17c45c005559125c275fb7b7

Analysis

max time kernel
150s
max time network
144s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
03/04/2025, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheon_H4.03-X64.exe
Size

88.8MB
MD5

ce1d8c9970b30019e5b35b7ba968107b
SHA1

b1e0898deac62e2a763bbd67e973c60d1d2b7267
SHA256

9c0f551fa5e93c3f30c90d89f49d811296f84cdb17c45c005559125c275fb7b7
SHA512

1742082598e15065880915168f9958b7ca7b2b8232047836d3f67a78538eec9ed21618c8f5e1b60f321e08a381162aeca3227ff0150cce688ef350b438f9cc2d
SSDEEP

1572864:4W3kvckR7qEWlVaDkRqDX4beH5HY+9OY0AbOb84I8FalUxTv1+:4WtW7jCcIqWeH6SOVXI8Fai1+

Score

10^/10

valleyrat_s2 backdoor discovery execution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

pniu.fun:10501

pniu.fun:10502

pniu.fun:10503

Attributes

campaign_date
2025. 4. 3

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Blocklisted process makes network request 3 IoCs

flow	pid	Process
44	3708	powershell.exe
46	3708	powershell.exe
47	3708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
1184	powershell.exe
3132	powershell.exe
3196	powershell.exe
3708	powershell.exe
1152	powershell.exe
3980	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2112	SGuardSvc32.exe

Loads dropped DLL 5 IoCs

pid	Process
3468	cheon_H4.03-X64.exe
3468	cheon_H4.03-X64.exe
3468	cheon_H4.03-X64.exe
3708	powershell.exe
3468	cheon_H4.03-X64.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	powershell.exe
File opened (read-only)	\??\X:	powershell.exe
File opened (read-only)	\??\Z:	powershell.exe
File opened (read-only)	\??\G:	powershell.exe
File opened (read-only)	\??\L:	powershell.exe
File opened (read-only)	\??\P:	powershell.exe
File opened (read-only)	\??\S:	powershell.exe
File opened (read-only)	\??\T:	powershell.exe
File opened (read-only)	\??\Y:	powershell.exe
File opened (read-only)	\??\J:	powershell.exe
File opened (read-only)	\??\U:	powershell.exe
File opened (read-only)	\??\H:	powershell.exe
File opened (read-only)	\??\K:	powershell.exe
File opened (read-only)	\??\M:	powershell.exe
File opened (read-only)	\??\N:	powershell.exe
File opened (read-only)	\??\Q:	powershell.exe
File opened (read-only)	\??\V:	powershell.exe
File opened (read-only)	\??\B:	powershell.exe
File opened (read-only)	\??\D:	powershell.exe
File opened (read-only)	\??\I:	powershell.exe
File opened (read-only)	\??\O:	powershell.exe
File opened (read-only)	\??\R:	powershell.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3560	tasklist.exe
2716	tasklist.exe
1948	tasklist.exe
3940	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Application\CheomraSetup.exe	cheon_H4.03-X64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edpnotify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheon_H4.03-X64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SGuardSvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
3760	timeout.exe
1884	timeout.exe
4756	timeout.exe
3660	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	powershell.exe
1184	powershell.exe
3708	powershell.exe
3708	powershell.exe
2496	powershell.exe
2496	powershell.exe
3132	powershell.exe
3132	powershell.exe
1152	powershell.exe
1152	powershell.exe
3132	powershell.exe
3196	powershell.exe
3196	powershell.exe
3980	powershell.exe
3196	powershell.exe
3980	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeIncreaseQuotaPrivilege	1184	powershell.exe
Token: SeSecurityPrivilege	1184	powershell.exe
Token: SeTakeOwnershipPrivilege	1184	powershell.exe
Token: SeLoadDriverPrivilege	1184	powershell.exe
Token: SeSystemProfilePrivilege	1184	powershell.exe
Token: SeSystemtimePrivilege	1184	powershell.exe
Token: SeProfSingleProcessPrivilege	1184	powershell.exe
Token: SeIncBasePriorityPrivilege	1184	powershell.exe
Token: SeCreatePagefilePrivilege	1184	powershell.exe
Token: SeBackupPrivilege	1184	powershell.exe
Token: SeRestorePrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeSystemEnvironmentPrivilege	1184	powershell.exe
Token: SeRemoteShutdownPrivilege	1184	powershell.exe
Token: SeUndockPrivilege	1184	powershell.exe
Token: SeManageVolumePrivilege	1184	powershell.exe
Token: 33	1184	powershell.exe
Token: 34	1184	powershell.exe
Token: 35	1184	powershell.exe
Token: 36	1184	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3560	tasklist.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	2496	powershell.exe
Token: SeSecurityPrivilege	2496	powershell.exe
Token: SeTakeOwnershipPrivilege	2496	powershell.exe
Token: SeLoadDriverPrivilege	2496	powershell.exe
Token: SeSystemProfilePrivilege	2496	powershell.exe
Token: SeSystemtimePrivilege	2496	powershell.exe
Token: SeProfSingleProcessPrivilege	2496	powershell.exe
Token: SeIncBasePriorityPrivilege	2496	powershell.exe
Token: SeCreatePagefilePrivilege	2496	powershell.exe
Token: SeBackupPrivilege	2496	powershell.exe
Token: SeRestorePrivilege	2496	powershell.exe
Token: SeShutdownPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeSystemEnvironmentPrivilege	2496	powershell.exe
Token: SeRemoteShutdownPrivilege	2496	powershell.exe
Token: SeUndockPrivilege	2496	powershell.exe
Token: SeManageVolumePrivilege	2496	powershell.exe
Token: 33	2496	powershell.exe
Token: 34	2496	powershell.exe
Token: 35	2496	powershell.exe
Token: 36	2496	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	3940	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3708	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1184	3468	cheon_H4.03-X64.exe	90
PID 3468 wrote to memory of 1184	3468	cheon_H4.03-X64.exe	90
PID 3468 wrote to memory of 1184	3468	cheon_H4.03-X64.exe	90
PID 3468 wrote to memory of 5396	3468	cheon_H4.03-X64.exe	93
PID 3468 wrote to memory of 5396	3468	cheon_H4.03-X64.exe	93
PID 3468 wrote to memory of 5396	3468	cheon_H4.03-X64.exe	93
PID 5396 wrote to memory of 3708	5396	wscript.exe	94
PID 5396 wrote to memory of 3708	5396	wscript.exe	94
PID 5396 wrote to memory of 3708	5396	wscript.exe	94
PID 3708 wrote to memory of 1764	3708	powershell.exe	96
PID 3708 wrote to memory of 1764	3708	powershell.exe	96
PID 3708 wrote to memory of 1764	3708	powershell.exe	96
PID 1764 wrote to memory of 3124	1764	csc.exe	97
PID 1764 wrote to memory of 3124	1764	csc.exe	97
PID 1764 wrote to memory of 3124	1764	csc.exe	97
PID 3468 wrote to memory of 2112	3468	cheon_H4.03-X64.exe	98
PID 3468 wrote to memory of 2112	3468	cheon_H4.03-X64.exe	98
PID 3468 wrote to memory of 2112	3468	cheon_H4.03-X64.exe	98
PID 2112 wrote to memory of 752	2112	SGuardSvc32.exe	99
PID 2112 wrote to memory of 752	2112	SGuardSvc32.exe	99
PID 2112 wrote to memory of 752	2112	SGuardSvc32.exe	99
PID 2112 wrote to memory of 752	2112	SGuardSvc32.exe	99
PID 3708 wrote to memory of 1112	3708	powershell.exe	101
PID 3708 wrote to memory of 1112	3708	powershell.exe	101
PID 3708 wrote to memory of 1112	3708	powershell.exe	101
PID 1112 wrote to memory of 3560	1112	cmd.exe	102
PID 1112 wrote to memory of 3560	1112	cmd.exe	102
PID 1112 wrote to memory of 3560	1112	cmd.exe	102
PID 1112 wrote to memory of 712	1112	cmd.exe	103
PID 1112 wrote to memory of 712	1112	cmd.exe	103
PID 1112 wrote to memory of 712	1112	cmd.exe	103
PID 3708 wrote to memory of 4036	3708	powershell.exe	104
PID 3708 wrote to memory of 4036	3708	powershell.exe	104
PID 3708 wrote to memory of 4036	3708	powershell.exe	104
PID 4036 wrote to memory of 2496	4036	cmd.exe	106
PID 4036 wrote to memory of 2496	4036	cmd.exe	106
PID 4036 wrote to memory of 2496	4036	cmd.exe	106
PID 1112 wrote to memory of 1884	1112	cmd.exe	107
PID 1112 wrote to memory of 1884	1112	cmd.exe	107
PID 1112 wrote to memory of 1884	1112	cmd.exe	107
PID 3708 wrote to memory of 5192	3708	powershell.exe	108
PID 3708 wrote to memory of 5192	3708	powershell.exe	108
PID 3708 wrote to memory of 5192	3708	powershell.exe	108
PID 5192 wrote to memory of 3132	5192	cmd.exe	109
PID 5192 wrote to memory of 3132	5192	cmd.exe	109
PID 5192 wrote to memory of 3132	5192	cmd.exe	109
PID 3708 wrote to memory of 560	3708	powershell.exe	110
PID 3708 wrote to memory of 560	3708	powershell.exe	110
PID 3708 wrote to memory of 560	3708	powershell.exe	110
PID 560 wrote to memory of 1152	560	cmd.exe	112
PID 560 wrote to memory of 1152	560	cmd.exe	112
PID 560 wrote to memory of 1152	560	cmd.exe	112
PID 3708 wrote to memory of 6104	3708	powershell.exe	113
PID 3708 wrote to memory of 6104	3708	powershell.exe	113
PID 3708 wrote to memory of 6104	3708	powershell.exe	113
PID 6104 wrote to memory of 3196	6104	cmd.exe	114
PID 6104 wrote to memory of 3196	6104	cmd.exe	114
PID 6104 wrote to memory of 3196	6104	cmd.exe	114
PID 3708 wrote to memory of 3672	3708	powershell.exe	115
PID 3708 wrote to memory of 3672	3708	powershell.exe	115
PID 3708 wrote to memory of 3672	3708	powershell.exe	115
PID 3672 wrote to memory of 3980	3672	cmd.exe	117
PID 3672 wrote to memory of 3980	3672	cmd.exe	117
PID 3672 wrote to memory of 3980	3672	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\cheon_H4.03-X64.exe
"C:\Users\Admin\AppData\Local\Temp\cheon_H4.03-X64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Set-MpPreference -ExclusionPath C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\SysWOW64\wscript.exe
  wscript //B "C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0akt2ltw\0akt2ltw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADCF.tmp" "c:\Users\Admin\AppData\Local\Temp\0akt2ltw\CSC4B640BD1E4A0431BAB57DF994639FE97.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /B /c "C:\Users\Admin\AppData\Local\Temp\monitor.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 3708"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "3708"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:712
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1884
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 3708"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "3708"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4756
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 3708"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "3708"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3660
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "PID eq 3708"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "3708"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
- C:\Users\Admin\AppData\Local\SGuardSvc32.exe
  "C:\Users\Admin\AppData\Local\SGuardSvc32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\edpnotify.exe
    C:\Windows\SysWOW64\edpnotify.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f9349064c7c8f8467cc12d78a462e5f9

SHA1
5e1d27fc64751cd8c0e9448ee47741da588b3484

SHA256
883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

SHA512
3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
d4687eb62afcd137d2b8fd488f695fbb

SHA1
70bf6e9a8bf3149bd3911e4dc996f7003571d2fc

SHA256
a8c00fea7469d96b6e5242ad671cc4d40962c88ad1f058a5755ccababf876315

SHA512
745a405ef6827dae7ac627624886954e0f961b7c11232b735358afe7fb12913be43e8771e1118ca5e4b08c5dea633fedeff6fb5c315862326a6356e220ecff74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
db950ae37dc4d03ce96a1b75e88f4249

SHA1
2788e458382204d7eba81f879143636dfe103a89

SHA256
16f59c84ba10237380eb5eddddfd96fdfe9814b5e29469be7ad57884ffedd777

SHA512
6ad4067f2b971a6a95f461bb395592aee5b21a0ed1f2c81f7ff2a08f9119a2cb4fef459915af2df9bff8ecf1cb406b911c2b900dc5de53f01b0038a9e6125aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
56d90cdf84db06186596daa675f1cf15

SHA1
739a50b7cac21bcd2281d4321eb497531faae8e3

SHA256
a828f50550013baded08ecae9d7dd26dd7dfd0da97438aa597637e5e84187d79

SHA512
e7c556785ef6e04127af7b1b1d6b50a0d01454af39eeae89408f12cc7c3f83fc6945893efb118fb23a447283a48e84191bc84e2ff244f304653d7d5773fafe2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
0147544161fa23c9984b3de3e88865ab

SHA1
8c25dd1ff295c777ffc30c5a4d2bdf408a962719

SHA256
1a0aa882319b83b9692ff19d0309ba74b9299f852bc600204cd520efe12e0768

SHA512
4725c9e19dabc8277596951ebd8f17f6c7f4dbe9be0c71983c753df7a2e3a2b4b0e8ab12addb275f2e97ba92b1a5352a69bb74878d0f8c7d8763bdeaaf974751

Download Submit
C:\Users\Admin\AppData\Local\Protected.ini

Filesize
207KB

MD5
ec52fa862a056975e93d2acf7889cfcf

SHA1
cc973fc28c8deb59a3c79375e1d247761356874c

SHA256
6489e9e620d90228b431544d990a99d1c94ab7f8e68b2daae5e396cf1759bfec

SHA512
8e68f6338ddff7abae22d568fbb6a4dc9d4a30e11b1c4d47a3b06496036a3b0437576d681b801114734a53bfcaea48cdd789061ca7d44a0a4fd71384da765a71

Download Submit
C:\Users\Admin\AppData\Local\Protected.json

Filesize
194KB

MD5
f5088d8e9f74af65dfce439c91ce5fda

SHA1
a5b87c273bdf258e746e6e21789e3033cd3eecfb

SHA256
459b001e277302d93177a59500f1fa99af2c02354ff296612406055ec62df45f

SHA512
f33751016a8ebc961ca979885212f8a7b47ebc8d6b610274f38e06908341ec38393f6b1eac6df412f45b66014254a73b53775ed19f929a7d3b38a62cc8a24f45

Download Submit
C:\Users\Admin\AppData\Local\SGuardSvc32.exe

Filesize
725KB

MD5
923b08492146a6a3b8bd269eb25f6372

SHA1
e263b5265abeae655f0ef5000196dbb80c6eca9b

SHA256
2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480

SHA512
6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0akt2ltw\0akt2ltw.dll

Filesize
3KB

MD5
5a922f4a06f20b628c5f9541e7dfd1dd

SHA1
1481070395a257a9f1a1db7c89ad0d09b944dd75

SHA256
ad16c31e667ac3d904e4e4b55e6e3c25a96e8a8cc1dfe419b565da8d7f6b044b

SHA512
b5407b11735ceae8dcc4550269d2498818b826200ebc7788ce13746b47692867cdea3fd2c2e82812cb8a17f13691a57e79947b4ac854d327a7a341f00037eb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADCF.tmp

Filesize
1KB

MD5
3c6fb6afab79e4fc95a84096a396a255

SHA1
9808e16a88f3ef375a72ff1c829f8404c99da272

SHA256
0650984a20d4f73574918893022dbc7238a8438045fd737dd8767c43710e6748

SHA512
588dc18f7bee997ddd1d8cffbd319327b5ec1bbf41202283b41ddbe416737ed127b3a1d89903f9a7d600c18fc513a30f863c4245ef20d0ade5f2f8bf5366887c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkstzjk2.fju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.bat

Filesize
308B

MD5
f228f13dbde97578c2b622137fdee789

SHA1
1fe68592840fe03e88a181fbceca932826e9ff69

SHA256
61220af764ee8d7c326e4c77f66e97adf93d469c7d21c0490b377838d0d5aefd

SHA512
250b12c800a427ec11dcb125b573c2c304cd570f32acc5faf285d0cf43198eb7d886c44fe2ff9a87977e8b53ee239577530ce232a38db4879959755bc4703cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\ioSpecial.ini

Filesize
1KB

MD5
edf9d95003f74becbf3baaa962834fd9

SHA1
d170e439a184869074bea438861d3c9f9652d701

SHA256
de8c0f06bb48d8be996bd54c435d10459177a482768a338b7c56813b5da6881c

SHA512
0881149d2d9fe7b0aec51620827c89d6783317f02cad757e4991cf3be7c0c364bab279242b3b427c25c0ba48d517e70409a729d2cfdcc904deb70fe0f25f5e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\ioSpecial.ini

Filesize
1KB

MD5
6de99ca714fd9b6813c297b92a18a131

SHA1
ae93e74d1bdf72e58565882e183a0c31ce78e6fa

SHA256
c9a3a564cac0d6eb18882a87aeed63812cb567b12786349aab31dd09ba2fe226

SHA512
eee5d2f041c357bf53232706d129d79bedc28163640608422e976e79ee3ddb7dfe1282f4e3e4fccec7741fab567a2f1df1dffe44f6c6232be1343847b94188d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv477A.tmp\nsExec.dll

Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\target.pid

Filesize
4B

MD5
34ffeb359a192eb8174b6854643cc046

SHA1
b6356eeb8338bf9c15899584bbb23135b40452e9

SHA256
aaf68675c4bea5600c273f6d4371e8d1b9f383a6dd96db30d628cf77dd91c09c

SHA512
7125dc16314e6314e32be5a58539ca75b0e7b6c93b5f1f443fd79e991edbdba5bd11f8333ef60eb6cd193149339d547deb837284165d0805fa98bde473dc5323

Download Submit
C:\Users\Admin\AppData\Local\updated.ps1

Filesize
221B

MD5
9b111b45096065d52a01747528eed794

SHA1
6b54320b17f2f26dfdf07b0e3d1dcf9bc98a42c6

SHA256
77ef6e260b031433d6e78bd885166896649ed1289bb65ed2cd1343424583e305

SHA512
3b067d8ed3a61816e09248817a3f326203dce5619a1e4a6aa007f7cc8e18f89609a0c128e2a8c03762d3107c21f13388bf3be5ea6e2120ed3f1d2a2623a773cf

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\Config.ini

Filesize
565KB

MD5
b6e7cb06da2ffea87f887b7d5d514d71

SHA1
d5d21843afb8e7bb134b532ef449d5b9a7b2fecc

SHA256
e958883b06092e7140470fdafd51d0fcad6ef0353c1409ef10ad06799ccee87a

SHA512
5b49c13324e2d1c79345c462f55f21dbecff636d0cac89006b5e6930f66a271ca64856e178ebc67a12d0ca6d3286a52aa3c702c8fccbf9e53635573409fe5bf5

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs

Filesize
296B

MD5
a6358b8bd98902002cbc1465bf276f01

SHA1
dfcb4633d17d8a15588d34a34cb6328a33e555c1

SHA256
3e5bec0f2a7b1b3c4d921580d0028fb6807b0589ca8d3496070d39c485ed91fc

SHA512
0024b856b828b37a275840157de7322d5713bc1136f5920dcd2684a37e0612c1c8823c15544bb5db8333a37821a38c83c6f587548fb551f13102cb3037eec469

Download Submit
C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1

Filesize
1KB

MD5
9b9d43d1e8a3579a0e81e35db8e84c46

SHA1
63a89e50f8050ad7a89745bcdb51180373e33c4c

SHA256
0a04147427707bfac19f7712006c44baf869e1fb76fb5246f90e00c6e3cdc0e5

SHA512
f2f09b6aa0c98a2542d46eaa371ed0b6ecddf7fdd0e3de2223fd3b6643dc9d81e62d72f7666b089cb4586af2f6d34fb052a5009ff9aea523d404bd1c1c3be815

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0akt2ltw\0akt2ltw.0.cs

Filesize
266B

MD5
c09bbaf83f7558f61a7235b2860d45d1

SHA1
ab169ea364e917f698a69a760b3aceec33a6b209

SHA256
aa7ae06461aae58bb22b9c54bf79a1b42e153985f7cc9612bf02439204819d5c

SHA512
5b2e56406f1d620d2aa4fcfe7e2d824e583657e452b4a9cbf5be64d26d3050e9adf9ea4f1ec395eb514c05530eea5a3edb9b57b71fc34523136ad751675c52db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0akt2ltw\0akt2ltw.cmdline

Filesize
369B

MD5
78972bb06f2d0abb5b8186364d27a595

SHA1
19ada8f89af6dc59b12b83c87b02bb518001922f

SHA256
f8cde098b15cb0fa1a4a5b8356f5781cd2c10f4cb325ed74532b97b051f31d9a

SHA512
29222471d15c7bd352f9aa8c58d4c98372b5883322a5610b5a1fa888af1e5e714b8e92eb680a7c9125645869c8aababc918439c5df9a4c96426b120ab65ac706

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0akt2ltw\CSC4B640BD1E4A0431BAB57DF994639FE97.TMP

Filesize
652B

MD5
061682a5e1f05d63f2841ef2157bd14d

SHA1
b7fadf703a2ff15a23efcac296584fdb6248f222

SHA256
40e0b23218d665e53337221ae2ac405ffaca9d20611526beb7d54f5feb67f17c

SHA512
09530a844b82e8a7fc370b9d7a507ca44a74ddcdcca21ac53d47bf13e07ae9804626a54867ac8daeac68c5011f1a8b6fadc05ea131beb05b0b79ecd2a195fdd0

Download Submit
memory/752-190-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/752-188-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/1152-336-0x0000000070B80000-0x0000000070ED7000-memory.dmp

Filesize
3.3MB

Download
memory/1152-346-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/1152-335-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/1184-87-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/1184-121-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/1184-123-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/1184-124-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/1184-91-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1184-122-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/1184-118-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/1184-120-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/1184-119-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/1184-105-0x0000000070830000-0x000000007087C000-memory.dmp

Filesize
304KB

Download
memory/1184-86-0x00000000049D0000-0x0000000004A06000-memory.dmp

Filesize
216KB

Download
memory/1184-85-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1184-90-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/1184-117-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/1184-116-0x00000000071C0000-0x00000000071DE000-memory.dmp

Filesize
120KB

Download
memory/1184-106-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/1184-88-0x00000000050E0000-0x00000000057AA000-memory.dmp

Filesize
6.8MB

Download
memory/1184-104-0x0000000007200000-0x0000000007232000-memory.dmp

Filesize
200KB

Download
memory/1184-103-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/1184-102-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/1184-101-0x0000000005B40000-0x0000000005E97000-memory.dmp

Filesize
3.3MB

Download
memory/1184-89-0x0000000004FE0000-0x0000000005002000-memory.dmp

Filesize
136KB

Download
memory/1184-127-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/2112-182-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/2496-300-0x0000000007B60000-0x0000000007C03000-memory.dmp

Filesize
652KB

Download
memory/2496-290-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/3132-310-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/3132-329-0x00000000070A0000-0x00000000070B1000-memory.dmp

Filesize
68KB

Download
memory/3196-365-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/3196-385-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/3196-375-0x0000000007040000-0x00000000070E3000-memory.dmp

Filesize
652KB

Download
memory/3708-411-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/3708-399-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-152-0x0000000007DC0000-0x0000000008366000-memory.dmp

Filesize
5.6MB

Download
memory/3708-151-0x0000000007630000-0x0000000007652000-memory.dmp

Filesize
136KB

Download
memory/3708-147-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/3708-176-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/3708-332-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/3708-268-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/3708-419-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-418-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-404-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-168-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/3708-140-0x0000000005E20000-0x0000000006177000-memory.dmp

Filesize
3.3MB

Download
memory/3708-407-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-408-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-274-0x0000000010000000-0x0000000010092000-memory.dmp

Filesize
584KB

Download
memory/3708-412-0x00000000062B0000-0x00000000062D2000-memory.dmp

Filesize
136KB

Download
memory/3708-413-0x0000000008630000-0x0000000008667000-memory.dmp

Filesize
220KB

Download
memory/3708-414-0x0000000008630000-0x0000000008667000-memory.dmp

Filesize
220KB

Download
memory/3708-415-0x0000000008630000-0x0000000008667000-memory.dmp

Filesize
220KB

Download
memory/3708-416-0x0000000008630000-0x0000000008667000-memory.dmp

Filesize
220KB

Download
memory/3980-389-0x0000000070B80000-0x0000000070ED7000-memory.dmp

Filesize
3.3MB

Download
memory/3980-388-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download