7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

Analysis

max time kernel
65s
max time network
133s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fads_Gercekler.exe
Size

2.0MB
MD5

e0fcc6006b8db87d96c047775ca5c598
SHA1

9429e298482ea5d8f2802353a4b97544e7bc0949
SHA256

7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd
SHA512

20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Score

10^/10

evasion trojan

Malware Config

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exeAdvancedRun.exeAdvancedRun.exec3f14f9f-d04b-4643-b38c-cffd77563f58.exec3f14f9f-d04b-4643-b38c-cffd77563f58.exe

pid	process
2424	AdvancedRun.exe
2812	AdvancedRun.exe
1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
3264	AdvancedRun.exe
4488	AdvancedRun.exe
8564	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
8896	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fads_Gercekler.exe5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fads_Gercekler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fads_Gercekler.exe

Drops startup file 2 IoCs

Processes:

Fads_Gercekler.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	Fads_Gercekler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	Fads_Gercekler.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Fads_Gercekler.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe = "0"	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Fads_Gercekler.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Fads_Gercekler.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fads_Gercekler.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fads_Gercekler.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exeFads_Gercekler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Fads_Gercekler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Fads_Gercekler.exe

Drops file in Windows directory 1 IoCs

Processes:

Fads_Gercekler.exe

description ioc process

File created C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe Fads_Gercekler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe	Fads_Gercekler.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2424	AdvancedRun.exe
2424	AdvancedRun.exe
2424	AdvancedRun.exe
2424	AdvancedRun.exe
2812	AdvancedRun.exe
2812	AdvancedRun.exe
2812	AdvancedRun.exe
2812	AdvancedRun.exe
3684	powershell.exe
3684	powershell.exe
188	powershell.exe
188	powershell.exe
3036	powershell.exe
3036	powershell.exe
1416	powershell.exe
1416	powershell.exe
308	powershell.exe
308	powershell.exe
4104	powershell.exe
4104	powershell.exe
3120	powershell.exe
3120	powershell.exe
4188	powershell.exe
4188	powershell.exe
3684	powershell.exe
188	powershell.exe
3036	powershell.exe
1416	powershell.exe
308	powershell.exe
3120	powershell.exe
4188	powershell.exe
4104	powershell.exe
3264	AdvancedRun.exe
3264	AdvancedRun.exe
3264	AdvancedRun.exe
3264	AdvancedRun.exe
3036	powershell.exe
3036	powershell.exe
5060	powershell.exe
5060	powershell.exe
5096	powershell.exe
5096	powershell.exe
3684	powershell.exe
3684	powershell.exe
4488	AdvancedRun.exe
4488	AdvancedRun.exe
4488	AdvancedRun.exe
4488	AdvancedRun.exe
188	powershell.exe
188	powershell.exe
4100	powershell.exe
4100	powershell.exe
1416	powershell.exe
1416	powershell.exe
308	powershell.exe
308	powershell.exe
3120	powershell.exe
3120	powershell.exe
4188	powershell.exe
4188	powershell.exe
4104	powershell.exe
4104	powershell.exe
5060	powershell.exe
4900	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exec3f14f9f-d04b-4643-b38c-cffd77563f58.exec3f14f9f-d04b-4643-b38c-cffd77563f58.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2424	AdvancedRun.exe
Token: SeImpersonatePrivilege	2424	AdvancedRun.exe
Token: SeDebugPrivilege	2812	AdvancedRun.exe
Token: SeImpersonatePrivilege	2812	AdvancedRun.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3264	AdvancedRun.exe
Token: SeImpersonatePrivilege	3264	AdvancedRun.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4488	AdvancedRun.exe
Token: SeImpersonatePrivilege	4488	AdvancedRun.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5956	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	6184	powershell.exe
Token: SeDebugPrivilege	6220	powershell.exe
Token: SeDebugPrivilege	6276	powershell.exe
Token: SeDebugPrivilege	6252	powershell.exe
Token: SeDebugPrivilege	6328	powershell.exe
Token: SeDebugPrivilege	6420	powershell.exe
Token: SeDebugPrivilege	6868	powershell.exe
Token: SeDebugPrivilege	6940	powershell.exe
Token: SeDebugPrivilege	6928	powershell.exe
Token: SeDebugPrivilege	6984	powershell.exe
Token: SeDebugPrivilege	7012	powershell.exe
Token: SeDebugPrivilege	7092	powershell.exe
Token: SeDebugPrivilege	7160	powershell.exe
Token: SeDebugPrivilege	6912	powershell.exe
Token: SeDebugPrivilege	7232	powershell.exe
Token: SeDebugPrivilege	7940	powershell.exe
Token: SeDebugPrivilege	8024	powershell.exe
Token: SeDebugPrivilege	7976	powershell.exe
Token: SeDebugPrivilege	6196	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	7244	powershell.exe
Token: SeDebugPrivilege	6296	powershell.exe
Token: SeDebugPrivilege	7544	powershell.exe
Token: SeDebugPrivilege	7496	powershell.exe
Token: SeDebugPrivilege	8564	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
Token: SeImpersonatePrivilege	8564	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
Token: SeDebugPrivilege	8896	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
Token: SeImpersonatePrivilege	8896	c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
Token: SeDebugPrivilege	8576	powershell.exe
Token: SeDebugPrivilege	8644	powershell.exe
Token: SeDebugPrivilege	8720	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fads_Gercekler.exeAdvancedRun.exe5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exeAdvancedRun.exe

description	pid	process	target process
PID 1808 wrote to memory of 2424	1808	Fads_Gercekler.exe	AdvancedRun.exe
PID 1808 wrote to memory of 2424	1808	Fads_Gercekler.exe	AdvancedRun.exe
PID 1808 wrote to memory of 2424	1808	Fads_Gercekler.exe	AdvancedRun.exe
PID 2424 wrote to memory of 2812	2424	AdvancedRun.exe	AdvancedRun.exe
PID 2424 wrote to memory of 2812	2424	AdvancedRun.exe	AdvancedRun.exe
PID 2424 wrote to memory of 2812	2424	AdvancedRun.exe	AdvancedRun.exe
PID 1808 wrote to memory of 3684	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3684	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3684	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3036	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3036	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3036	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 1416	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 1416	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 1416	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 308	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 308	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 308	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 1292	1808	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1808 wrote to memory of 1292	1808	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1808 wrote to memory of 1292	1808	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1808 wrote to memory of 3120	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3120	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 3120	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4104	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4104	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4104	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4188	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5060	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5060	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5060	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5096	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5096	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5096	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4100	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4100	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4100	1808	Fads_Gercekler.exe	powershell.exe
PID 1292 wrote to memory of 3264	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	AdvancedRun.exe
PID 1292 wrote to memory of 3264	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	AdvancedRun.exe
PID 1292 wrote to memory of 3264	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	AdvancedRun.exe
PID 3264 wrote to memory of 4488	3264	AdvancedRun.exe	AdvancedRun.exe
PID 3264 wrote to memory of 4488	3264	AdvancedRun.exe	AdvancedRun.exe
PID 3264 wrote to memory of 4488	3264	AdvancedRun.exe	AdvancedRun.exe
PID 1808 wrote to memory of 4900	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4900	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4900	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4948	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4948	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 4948	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5048	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5048	1808	Fads_Gercekler.exe	powershell.exe
PID 1808 wrote to memory of 5048	1808	Fads_Gercekler.exe	powershell.exe
PID 1292 wrote to memory of 1636	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 1636	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 1636	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 4924	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 4924	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 4924	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe
PID 1292 wrote to memory of 5188	1292	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Fads_Gercekler.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Fads_Gercekler.exe

C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe
"C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808

C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe" /SpecialRun 4101d8 2424
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe" /SpecialRun 4101d8 3264
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:8996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:9044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:8492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:8848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:8244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:9616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:9968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:9996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:10032

C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe
"C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe" /EXEFilename "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe
"C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe" /SpecialRun 4101d8 1388
4⤵
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6296

C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
"C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8564

C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
"C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe" /SpecialRun 4101d8 8564
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e5b9dc1f85ede0b964296740b1ee02d9

SHA1
d151100b291a62f631f301d47c04aee3a024efb6

SHA256
6490d6ad0fd28e3dcc484acae849d08da1300bc4caaeffffc07fe09c86ceae56

SHA512
04df143d5f5e9b63e6f49ae1cbc6cabd1a18d1ee02475ec70547cef87d42053fdff418c1d08e9fb523b992bd5be40ee40fc82d5cb20779e66002b252d5b6f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6399a1bfa7a1a87b0c07b04c149ccee2

SHA1
6446914207f26158cf415ee6570fddd40fa272a7

SHA256
e91ea73d44ad7e7fa1a033e2293647acee768e72d486afe939a02a7a25d2679e

SHA512
b22c9134652b1195c811a4b7c6d01b2cdbd7ea05cb9942b7152cf10bc6b8d0b47517b7a97d91088187ef3a3ea42c3c21bdbe7b13b3c523c9b3cc635d3cfdfb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6399a1bfa7a1a87b0c07b04c149ccee2

SHA1
6446914207f26158cf415ee6570fddd40fa272a7

SHA256
e91ea73d44ad7e7fa1a033e2293647acee768e72d486afe939a02a7a25d2679e

SHA512
b22c9134652b1195c811a4b7c6d01b2cdbd7ea05cb9942b7152cf10bc6b8d0b47517b7a97d91088187ef3a3ea42c3c21bdbe7b13b3c523c9b3cc635d3cfdfb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
3cd32741731c3736d8ac37e7df8c70df

SHA1
2f8f72a25f3329a34070232ab50fe99128172b77

SHA256
41fe8ead21a9b5d001ce95d7c0764cef35dfef63c4592421709851252a82dd4b

SHA512
840ea2835cd01c902587ca63168188f7d41772527cb4285d0424bfcde3b069f06461d94b9b65b59932de1b2a76757f3a53c798c514d30c283d8cc37cf931fab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
3cd32741731c3736d8ac37e7df8c70df

SHA1
2f8f72a25f3329a34070232ab50fe99128172b77

SHA256
41fe8ead21a9b5d001ce95d7c0764cef35dfef63c4592421709851252a82dd4b

SHA512
840ea2835cd01c902587ca63168188f7d41772527cb4285d0424bfcde3b069f06461d94b9b65b59932de1b2a76757f3a53c798c514d30c283d8cc37cf931fab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
3cd32741731c3736d8ac37e7df8c70df

SHA1
2f8f72a25f3329a34070232ab50fe99128172b77

SHA256
41fe8ead21a9b5d001ce95d7c0764cef35dfef63c4592421709851252a82dd4b

SHA512
840ea2835cd01c902587ca63168188f7d41772527cb4285d0424bfcde3b069f06461d94b9b65b59932de1b2a76757f3a53c798c514d30c283d8cc37cf931fab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
453e79e02f1f0e22f7f87ac5d2ed6f77

SHA1
bbb2da5cd09b989c0910c25a6f0cca5e1e3c1902

SHA256
163ce0096941070c3bc2c79c1192537c9c10a62a179f29b2e4c44fa104b4b5b0

SHA512
bce5bf3e07d4d4b1e1b559e63c239e4f7d4a187aecb259cfced226760788e4a6711bbe4f7ac94a7ec302dab06fd64c904af5ccfd188b43fe8b0638854c9dba59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
453e79e02f1f0e22f7f87ac5d2ed6f77

SHA1
bbb2da5cd09b989c0910c25a6f0cca5e1e3c1902

SHA256
163ce0096941070c3bc2c79c1192537c9c10a62a179f29b2e4c44fa104b4b5b0

SHA512
bce5bf3e07d4d4b1e1b559e63c239e4f7d4a187aecb259cfced226760788e4a6711bbe4f7ac94a7ec302dab06fd64c904af5ccfd188b43fe8b0638854c9dba59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c56c0717aec3a0327533dbd5da9ec441

SHA1
73c50595748c22f02e646b2616b1653f9c24b3ed

SHA256
f74c7831269d9c1c64cd02b7739fa49f57dd3748560f9dfff9e9dfce57893164

SHA512
712b6f8b525a6588ab10da4427dd363672646d1df303a742174425d21eb1f7ed2df6825bf235abc95a7a0d119a70d9b237b2337814c0a3c82239ff0bec9a6810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c56c0717aec3a0327533dbd5da9ec441

SHA1
73c50595748c22f02e646b2616b1653f9c24b3ed

SHA256
f74c7831269d9c1c64cd02b7739fa49f57dd3748560f9dfff9e9dfce57893164

SHA512
712b6f8b525a6588ab10da4427dd363672646d1df303a742174425d21eb1f7ed2df6825bf235abc95a7a0d119a70d9b237b2337814c0a3c82239ff0bec9a6810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
05d73a4a200b8090b66d48ce9cec3450

SHA1
0fca114f848edf7ffac4314d2b8263c311d41cec

SHA256
f81e3c06e598d19d595d5c5a567216ab620a964279d566b461e9c568f50ab09a

SHA512
2d5e6cc68f322fcd35e6ca2c1b1c492cf41c91f03c1d6b1378bfac8f24ff59bb5c3053238d6c324e8b1dd4d75bcad5e3beeec6a96d0464836777423728dd6f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6399a1bfa7a1a87b0c07b04c149ccee2

SHA1
6446914207f26158cf415ee6570fddd40fa272a7

SHA256
e91ea73d44ad7e7fa1a033e2293647acee768e72d486afe939a02a7a25d2679e

SHA512
b22c9134652b1195c811a4b7c6d01b2cdbd7ea05cb9942b7152cf10bc6b8d0b47517b7a97d91088187ef3a3ea42c3c21bdbe7b13b3c523c9b3cc635d3cfdfb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6399a1bfa7a1a87b0c07b04c149ccee2

SHA1
6446914207f26158cf415ee6570fddd40fa272a7

SHA256
e91ea73d44ad7e7fa1a033e2293647acee768e72d486afe939a02a7a25d2679e

SHA512
b22c9134652b1195c811a4b7c6d01b2cdbd7ea05cb9942b7152cf10bc6b8d0b47517b7a97d91088187ef3a3ea42c3c21bdbe7b13b3c523c9b3cc635d3cfdfb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
697f69a2d63c967c5c7a5c662d33eadb

SHA1
279be25284337857224ca8235e71cca6de2fc642

SHA256
8450adff2f76bd22187e423f8b255a0e9d4e4d94740d552bcbb5887e70040844

SHA512
81634aa5ac7a7abefc5003586de5ac38d3dbbe3460997bbb7fde21d3f5967dd1bde8d6bc589b9a8c3ba49703da6b928fe4ff2ac41b56da3ceaa552bf892d654a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
813003519b63eab649440d3ac2a247eb

SHA1
0e2410e2adef655162560bc5390e68732f00353c

SHA256
1862c37126d7a7c7ceb04bed209e81c06a046438fc8dcef070b91fdbcb296999

SHA512
06c6ac9ad8703d816946a1148a1d78344ea94d0c33f4d1d64a41148e52cec0b166b73376e1b578934305bdb22accd0d0f708f0e2305543b089992a92b01d8d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
813003519b63eab649440d3ac2a247eb

SHA1
0e2410e2adef655162560bc5390e68732f00353c

SHA256
1862c37126d7a7c7ceb04bed209e81c06a046438fc8dcef070b91fdbcb296999

SHA512
06c6ac9ad8703d816946a1148a1d78344ea94d0c33f4d1d64a41148e52cec0b166b73376e1b578934305bdb22accd0d0f708f0e2305543b089992a92b01d8d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
813003519b63eab649440d3ac2a247eb

SHA1
0e2410e2adef655162560bc5390e68732f00353c

SHA256
1862c37126d7a7c7ceb04bed209e81c06a046438fc8dcef070b91fdbcb296999

SHA512
06c6ac9ad8703d816946a1148a1d78344ea94d0c33f4d1d64a41148e52cec0b166b73376e1b578934305bdb22accd0d0f708f0e2305543b089992a92b01d8d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
813003519b63eab649440d3ac2a247eb

SHA1
0e2410e2adef655162560bc5390e68732f00353c

SHA256
1862c37126d7a7c7ceb04bed209e81c06a046438fc8dcef070b91fdbcb296999

SHA512
06c6ac9ad8703d816946a1148a1d78344ea94d0c33f4d1d64a41148e52cec0b166b73376e1b578934305bdb22accd0d0f708f0e2305543b089992a92b01d8d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
67b5ec747df437643d1615e99f0a82a9

SHA1
baed92e01021796f578ee8d1425cad7dc0ab87de

SHA256
dc9c54e9e53934725e098befa1159e7e681265a30e23d14ebc046a4245c6b102

SHA512
8c312ac83a03390acc8abd8da863a8ff7578ccd9b152e49879be01c4b51547e8009b9952c89fcb6fc282eacf492e9193d95ea8c17f92f2fa4172afad412fd135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0ad39117301aa3810a9aa19056dd22bf

SHA1
f2820bd2b657695854558d3ae712f3cdef83666a

SHA256
909321ef2ae6f3257408ef1e1b0bef7f1bd4295717fab1ce274f8b913274f8b9

SHA512
d2e87e2f923162be0bd5bfc2fc4176cb38c7227ae017c8229078e175f82fd19d33389b8da26fd11fc536cc3d2ba3d4fdcaf89ae8c2aefe516f8181fdc407a44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0ad39117301aa3810a9aa19056dd22bf

SHA1
f2820bd2b657695854558d3ae712f3cdef83666a

SHA256
909321ef2ae6f3257408ef1e1b0bef7f1bd4295717fab1ce274f8b913274f8b9

SHA512
d2e87e2f923162be0bd5bfc2fc4176cb38c7227ae017c8229078e175f82fd19d33389b8da26fd11fc536cc3d2ba3d4fdcaf89ae8c2aefe516f8181fdc407a44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
afcb12589fe270fb82a8488f00739e4b

SHA1
5bbf3053b340b2428bbb7adb0d7cbb064eb14727

SHA256
a9ec2a3c39864f678c020702789a0b4cd699958187c2dc45e1d92065c2d16e89

SHA512
87d85330fa837ed398f634df2190aab475a7bd59979dfbbcd24fd0198116e3cb60ea8c6e8aaa7ab56b55947099829bf0f62fccded145d70df5fedeb21cd38359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89f1e4ddf9cf62f0caa9239ee286866e

SHA1
7fcddd8ce5362828d88a7defc89d01301002b928

SHA256
a9aea8820b22d8803247913bc20a1bb52453089db96e5b3947b52a8fd2311a41

SHA512
56b45ba9880a34bafd9a0799185b2a68457da1ba9cc786ffeabda7cf997cf7754071bb8753fd4965769e9213bda0806d6ff3d26c6657e35086c8b61d60adaed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
89f1e4ddf9cf62f0caa9239ee286866e

SHA1
7fcddd8ce5362828d88a7defc89d01301002b928

SHA256
a9aea8820b22d8803247913bc20a1bb52453089db96e5b3947b52a8fd2311a41

SHA512
56b45ba9880a34bafd9a0799185b2a68457da1ba9cc786ffeabda7cf997cf7754071bb8753fd4965769e9213bda0806d6ff3d26c6657e35086c8b61d60adaed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
dda649984e8d7797407d4149d98b80a8

SHA1
144cc27055ff73f61c6804a91fa2fe6ddf8667ca

SHA256
deed48a19e7f625fac76b2cf9900c513c879a8787fb25a2d6e9b13db3c1cf92f

SHA512
52e3f4d8d3bd17e8e9c630f9ee95d37de50476b5713256e846282997b5e9c59125ce85c58e278433fd30ff0bb76be3e95cbc37fd9e878b668bb977b7f8429a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e9253824b195fd54071d8134826df3c5

SHA1
b6e9478c87d8e4c28bd2b07aa27234f2fccee53a

SHA256
2cf03b375ccacf132bfb54a7d702b0d590a2ba4da641152621d50d7ab95736cf

SHA512
e43e6fe97a6e86f1bb77cf0c1531f8cd881ad38993bc8f62fa127629cc98f1f56fb1980e0d069988f2834df04a548fa1eb3a773bc44a303acaf787c15fc849e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
03b8da52cffe973dce1faeea180007cc

SHA1
e96de7124f3206d61c9035c900edac5d38abeae0

SHA256
0176e6b9a7e836e147395aa58ea38450b1a56e3ce14bb68146cb9524e30ea9da

SHA512
2fe1a56ecd1b690518ea3b51bba5c91c9a363ef7aace1b4fb54e212e1398e12e2af6ed8ddb5b9906ca8edfd94fee39665a68417e19715a97730b1edd0b7b67ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\03323554-eecb-4455-b5a3-49faa6874134\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7614225d-5ea4-4e9f-bbc7-93c1c6c5463a\7fa7e5c0-16e3-4d09-bd5c-c9aa33b459b6.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46c4871-c09a-4f0e-b94b-f618c679f19b\c3f14f9f-d04b-4643-b38c-cffd77563f58.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c48c7c29-f109-4e41-837a-74408452bdfd\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
MD5
e0fcc6006b8db87d96c047775ca5c598

SHA1
9429e298482ea5d8f2802353a4b97544e7bc0949

SHA256
7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

SHA512
20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
MD5
e0fcc6006b8db87d96c047775ca5c598

SHA1
9429e298482ea5d8f2802353a4b97544e7bc0949

SHA256
7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

SHA512
20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Download Submit
memory/188-256-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/188-183-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/188-251-0x000000007F8A0000-0x000000007F8A1000-memory.dmp

Filesize
4KB

Download
memory/188-128-0x0000000000000000-mapping.dmp

Download
memory/188-178-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/308-193-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/308-199-0x0000000004532000-0x0000000004533000-memory.dmp

Filesize
4KB

Download
memory/308-247-0x000000007EE40000-0x000000007EE41000-memory.dmp

Filesize
4KB

Download
memory/308-261-0x0000000004533000-0x0000000004534000-memory.dmp

Filesize
4KB

Download
memory/308-131-0x0000000000000000-mapping.dmp

Download
memory/1292-208-0x00000000011B0000-0x00000000012FA000-memory.dmp

Filesize
1.3MB

Download
memory/1292-134-0x0000000000000000-mapping.dmp

Download
memory/1416-194-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/1416-187-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1416-259-0x000000007E8E0000-0x000000007E8E1000-memory.dmp

Filesize
4KB

Download
memory/1416-185-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/1416-130-0x0000000000000000-mapping.dmp

Download
memory/1416-196-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/1416-258-0x0000000004C03000-0x0000000004C04000-memory.dmp

Filesize
4KB

Download
memory/1636-242-0x0000000006A62000-0x0000000006A63000-memory.dmp

Filesize
4KB

Download
memory/1636-240-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/1636-229-0x0000000000000000-mapping.dmp

Download
memory/1808-117-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1808-118-0x0000000002D40000-0x0000000002D9C000-memory.dmp

Filesize
368KB

Download
memory/1808-120-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1808-119-0x00000000054B0000-0x00000000059AE000-memory.dmp

Filesize
5.0MB

Download
memory/1808-121-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/1808-116-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/1808-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1808-158-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/2424-122-0x0000000000000000-mapping.dmp

Download
memory/2812-125-0x0000000000000000-mapping.dmp

Download
memory/3036-250-0x000000007F9B0000-0x000000007F9B1000-memory.dmp

Filesize
4KB

Download
memory/3036-182-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3036-129-0x0000000000000000-mapping.dmp

Download
memory/3036-254-0x00000000042A3000-0x00000000042A4000-memory.dmp

Filesize
4KB

Download
memory/3036-190-0x00000000042A2000-0x00000000042A3000-memory.dmp

Filesize
4KB

Download
memory/3120-138-0x0000000000000000-mapping.dmp

Download
memory/3120-211-0x00000000069D2000-0x00000000069D3000-memory.dmp

Filesize
4KB

Download
memory/3120-263-0x00000000069D3000-0x00000000069D4000-memory.dmp

Filesize
4KB

Download
memory/3120-205-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/3120-255-0x000000007F510000-0x000000007F511000-memory.dmp

Filesize
4KB

Download
memory/3260-340-0x0000000000000000-mapping.dmp

Download
memory/3264-215-0x0000000000000000-mapping.dmp

Download
memory/3684-144-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/3684-181-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3684-146-0x0000000007282000-0x0000000007283000-memory.dmp

Filesize
4KB

Download
memory/3684-257-0x0000000007283000-0x0000000007284000-memory.dmp

Filesize
4KB

Download
memory/3684-136-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3684-253-0x000000007F7A0000-0x000000007F7A1000-memory.dmp

Filesize
4KB

Download
memory/3684-140-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/3684-127-0x0000000000000000-mapping.dmp

Download
memory/4100-282-0x000000007F200000-0x000000007F201000-memory.dmp

Filesize
4KB

Download
memory/4100-226-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/4100-214-0x0000000000000000-mapping.dmp

Download
memory/4100-224-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/4104-209-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/4104-200-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4104-265-0x00000000049D3000-0x00000000049D4000-memory.dmp

Filesize
4KB

Download
memory/4104-262-0x000000007F090000-0x000000007F091000-memory.dmp

Filesize
4KB

Download
memory/4104-141-0x0000000000000000-mapping.dmp

Download
memory/4188-264-0x0000000004F33000-0x0000000004F34000-memory.dmp

Filesize
4KB

Download
memory/4188-260-0x000000007E810000-0x000000007E811000-memory.dmp

Filesize
4KB

Download
memory/4188-148-0x0000000000000000-mapping.dmp

Download
memory/4188-210-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4188-180-0x0000000004F32000-0x0000000004F33000-memory.dmp

Filesize
4KB

Download
memory/4288-313-0x0000000000000000-mapping.dmp

Download
memory/4488-218-0x0000000000000000-mapping.dmp

Download
memory/4636-267-0x0000000000000000-mapping.dmp

Download
memory/4636-273-0x0000000006E62000-0x0000000006E63000-memory.dmp

Filesize
4KB

Download
memory/4636-271-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/4900-231-0x0000000004BC2000-0x0000000004BC3000-memory.dmp

Filesize
4KB

Download
memory/4900-225-0x0000000000000000-mapping.dmp

Download
memory/4900-230-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/4924-232-0x0000000000000000-mapping.dmp

Download
memory/4924-243-0x0000000006580000-0x0000000006581000-memory.dmp

Filesize
4KB

Download
memory/4924-246-0x0000000006582000-0x0000000006583000-memory.dmp

Filesize
4KB

Download
memory/4948-227-0x0000000000000000-mapping.dmp

Download
memory/4948-234-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/4948-233-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/5004-268-0x0000000000000000-mapping.dmp

Download
memory/5004-272-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/5004-274-0x0000000004C72000-0x0000000004C73000-memory.dmp

Filesize
4KB

Download
memory/5048-236-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/5048-238-0x00000000041D2000-0x00000000041D3000-memory.dmp

Filesize
4KB

Download
memory/5048-228-0x0000000000000000-mapping.dmp

Download
memory/5060-220-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/5060-221-0x0000000004422000-0x0000000004423000-memory.dmp

Filesize
4KB

Download
memory/5060-212-0x0000000000000000-mapping.dmp

Download
memory/5096-213-0x0000000000000000-mapping.dmp

Download
memory/5096-223-0x0000000004422000-0x0000000004423000-memory.dmp

Filesize
4KB

Download
memory/5096-222-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/5188-248-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/5188-249-0x0000000004582000-0x0000000004583000-memory.dmp

Filesize
4KB

Download
memory/5188-235-0x0000000000000000-mapping.dmp

Download
memory/5260-237-0x0000000000000000-mapping.dmp

Download
memory/5260-252-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/5260-241-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/5372-245-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/5372-239-0x0000000000000000-mapping.dmp

Download
memory/5372-244-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/5876-277-0x0000000000000000-mapping.dmp

Download
memory/5956-275-0x0000000000000000-mapping.dmp

Download
memory/5956-280-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/6108-278-0x0000000000000000-mapping.dmp

Download
memory/6116-266-0x0000000000000000-mapping.dmp

Download
memory/6116-269-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/6116-270-0x0000000006D92000-0x0000000006D93000-memory.dmp

Filesize
4KB

Download
memory/6184-279-0x0000000000000000-mapping.dmp

Download
memory/6196-312-0x0000000000000000-mapping.dmp

Download
memory/6220-281-0x0000000000000000-mapping.dmp

Download
memory/6252-283-0x0000000000000000-mapping.dmp

Download
memory/6276-284-0x0000000000000000-mapping.dmp

Download
memory/6296-317-0x0000000000000000-mapping.dmp

Download
memory/6328-285-0x0000000000000000-mapping.dmp

Download
memory/6420-286-0x0000000000000000-mapping.dmp

Download
memory/6868-291-0x0000000000000000-mapping.dmp

Download
memory/6912-301-0x0000000000000000-mapping.dmp

Download
memory/6928-293-0x0000000000000000-mapping.dmp

Download
memory/6940-294-0x0000000000000000-mapping.dmp

Download
memory/6984-295-0x0000000000000000-mapping.dmp

Download
memory/7012-296-0x0000000000000000-mapping.dmp

Download
memory/7092-297-0x0000000000000000-mapping.dmp

Download
memory/7160-300-0x0000000000000000-mapping.dmp

Download
memory/7232-302-0x0000000000000000-mapping.dmp

Download
memory/7244-314-0x0000000000000000-mapping.dmp

Download
memory/7496-315-0x0000000000000000-mapping.dmp

Download
memory/7544-316-0x0000000000000000-mapping.dmp

Download
memory/7940-306-0x0000000000000000-mapping.dmp

Download
memory/7976-308-0x0000000000000000-mapping.dmp

Download
memory/8024-310-0x0000000000000000-mapping.dmp

Download
memory/8492-339-0x0000000000000000-mapping.dmp

Download
memory/8564-318-0x0000000000000000-mapping.dmp

Download
memory/8576-319-0x0000000000000000-mapping.dmp

Download
memory/8644-322-0x0000000000000000-mapping.dmp

Download
memory/8720-324-0x0000000000000000-mapping.dmp

Download
memory/8896-326-0x0000000000000000-mapping.dmp

Download
memory/8996-328-0x0000000000000000-mapping.dmp

Download
memory/9044-329-0x0000000000000000-mapping.dmp

Download
memory/9120-331-0x0000000000000000-mapping.dmp

Download