ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

Analysis

max time kernel
67s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Sheet.exe
Size

2.6MB
MD5

9bc1a47fdbd32cc92c94a9d1a84597ac
SHA1

63a5eb6563208137d12dd8fa4ede2e2c98e70033
SHA256

ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
SHA512

559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Score

10^/10

evasion trojan

Malware Config

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exeAdvancedRun.exe

pid process

3944 AdvancedRun.exe
3576 AdvancedRun.exe
3044 1Ua9ea19ce4Va7ea83fucAac58.exe
4672 AdvancedRun.exe
4880 AdvancedRun.exe

Drops startup file 2 IoCs

Processes:

Order Sheet.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe	Order Sheet.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Order Sheet.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Order Sheet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe = "0"	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Order Sheet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Order Sheet.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1Ua9ea19ce4Va7ea83fucAac58.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1Ua9ea19ce4Va7ea83fucAac58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1Ua9ea19ce4Va7ea83fucAac58.exe

Drops file in Windows directory 1 IoCs

Processes:

Order Sheet.exe

description ioc process

File created C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe Order Sheet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

10080 3044 WerFault.exe 1Ua9ea19ce4Va7ea83fucAac58.exe
5068 1744 WerFault.exe Order Sheet.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

9696 timeout.exe
9992 timeout.exe

description	ioc	process
File created	C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe	Order Sheet.exe

pid	pid_target	process	target process
10080	3044	WerFault.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
5068	1744	WerFault.exe	Order Sheet.exe

pid	process
9696	timeout.exe
9992	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3944	AdvancedRun.exe
3944	AdvancedRun.exe
3944	AdvancedRun.exe
3944	AdvancedRun.exe
3576	AdvancedRun.exe
3576	AdvancedRun.exe
3576	AdvancedRun.exe
3576	AdvancedRun.exe
1296	powershell.exe
1296	powershell.exe
3876	powershell.exe
3876	powershell.exe
2716	powershell.exe
2716	powershell.exe
4004	powershell.exe
4004	powershell.exe
2748	powershell.exe
2748	powershell.exe
3784	powershell.exe
3784	powershell.exe
4116	powershell.exe
4116	powershell.exe
4188	powershell.exe
4188	powershell.exe
4672	AdvancedRun.exe
4672	AdvancedRun.exe
4672	AdvancedRun.exe
4672	AdvancedRun.exe
1296	powershell.exe
3876	powershell.exe
4880	AdvancedRun.exe
4880	AdvancedRun.exe
4880	AdvancedRun.exe
4880	AdvancedRun.exe
4004	powershell.exe
2716	powershell.exe
3784	powershell.exe
2748	powershell.exe
4116	powershell.exe
4188	powershell.exe
3876	powershell.exe
1296	powershell.exe
5020	powershell.exe
5020	powershell.exe
5056	powershell.exe
5056	powershell.exe
5100	powershell.exe
5100	powershell.exe
4004	powershell.exe
2748	powershell.exe
2748	powershell.exe
3636	powershell.exe
3636	powershell.exe
4648	powershell.exe
4648	powershell.exe
4680	powershell.exe
4680	powershell.exe
4740	powershell.exe
4740	powershell.exe
4808	powershell.exe
4808	powershell.exe
2716	powershell.exe
2716	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3944	AdvancedRun.exe
Token: SeImpersonatePrivilege	3944	AdvancedRun.exe
Token: SeDebugPrivilege	3576	AdvancedRun.exe
Token: SeImpersonatePrivilege	3576	AdvancedRun.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4672	AdvancedRun.exe
Token: SeImpersonatePrivilege	4672	AdvancedRun.exe
Token: SeDebugPrivilege	4880	AdvancedRun.exe
Token: SeImpersonatePrivilege	4880	AdvancedRun.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	5156	powershell.exe
Token: SeDebugPrivilege	5604	powershell.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	5984	powershell.exe
Token: SeDebugPrivilege	6052	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	6416	powershell.exe
Token: SeDebugPrivilege	6480	powershell.exe
Token: SeDebugPrivilege	6440	powershell.exe
Token: SeDebugPrivilege	6980	powershell.exe
Token: SeDebugPrivilege	7008	powershell.exe
Token: SeDebugPrivilege	7060	powershell.exe
Token: SeDebugPrivilege	6676	powershell.exe
Token: SeDebugPrivilege	6672	powershell.exe
Token: SeDebugPrivilege	6960	powershell.exe
Token: SeDebugPrivilege	6904	powershell.exe
Token: SeDebugPrivilege	7056	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	7500	powershell.exe
Token: SeDebugPrivilege	7556	powershell.exe
Token: SeDebugPrivilege	7604	powershell.exe
Token: SeDebugPrivilege	8188	powershell.exe
Token: SeDebugPrivilege	7068	powershell.exe
Token: SeDebugPrivilege	6552	powershell.exe
Token: SeDebugPrivilege	7176	powershell.exe
Token: SeDebugPrivilege	7420	powershell.exe
Token: SeDebugPrivilege	7584	powershell.exe
Token: SeDebugPrivilege	8532	powershell.exe
Token: SeDebugPrivilege	8560	powershell.exe
Token: SeDebugPrivilege	8612	powershell.exe
Token: SeDebugPrivilege	8592	powershell.exe
Token: SeDebugPrivilege	8656	powershell.exe
Token: SeDebugPrivilege	8728	powershell.exe
Token: SeDebugPrivilege	9076	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order Sheet.exeAdvancedRun.exe1Ua9ea19ce4Va7ea83fucAac58.exeAdvancedRun.exe

description	pid	process	target process
PID 1744 wrote to memory of 3944	1744	Order Sheet.exe	AdvancedRun.exe
PID 1744 wrote to memory of 3944	1744	Order Sheet.exe	AdvancedRun.exe
PID 1744 wrote to memory of 3944	1744	Order Sheet.exe	AdvancedRun.exe
PID 3944 wrote to memory of 3576	3944	AdvancedRun.exe	AdvancedRun.exe
PID 3944 wrote to memory of 3576	3944	AdvancedRun.exe	AdvancedRun.exe
PID 3944 wrote to memory of 3576	3944	AdvancedRun.exe	AdvancedRun.exe
PID 1744 wrote to memory of 1296	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 1296	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 1296	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3876	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3876	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3876	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2716	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2716	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2716	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4004	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4004	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4004	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2748	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2748	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 2748	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3044	1744	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 1744 wrote to memory of 3044	1744	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 1744 wrote to memory of 3044	1744	Order Sheet.exe	1Ua9ea19ce4Va7ea83fucAac58.exe
PID 1744 wrote to memory of 3784	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3784	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 3784	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4116	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4116	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4116	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4188	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4188	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 4188	1744	Order Sheet.exe	powershell.exe
PID 3044 wrote to memory of 4672	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 3044 wrote to memory of 4672	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 3044 wrote to memory of 4672	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	AdvancedRun.exe
PID 4672 wrote to memory of 4880	4672	AdvancedRun.exe	AdvancedRun.exe
PID 4672 wrote to memory of 4880	4672	AdvancedRun.exe	AdvancedRun.exe
PID 4672 wrote to memory of 4880	4672	AdvancedRun.exe	AdvancedRun.exe
PID 1744 wrote to memory of 5020	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5020	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5020	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5056	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5056	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5056	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5100	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5100	1744	Order Sheet.exe	powershell.exe
PID 1744 wrote to memory of 5100	1744	Order Sheet.exe	powershell.exe
PID 3044 wrote to memory of 3636	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 3636	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 3636	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4648	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4648	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4648	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4680	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4680	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4680	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4740	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4740	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4740	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4808	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4808	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 3044 wrote to memory of 4808	3044	1Ua9ea19ce4Va7ea83fucAac58.exe	powershell.exe
PID 1744 wrote to memory of 5096	1744	Order Sheet.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

1Ua9ea19ce4Va7ea83fucAac58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1Ua9ea19ce4Va7ea83fucAac58.exe

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
1⤵
- Drops startup file
- Windows security modification
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe" /SpecialRun 4101d8 3944
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3044

C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe" /SpecialRun 4101d8 4672
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:9108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:9180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe" -Force
3⤵
PID:8680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
PID:2192

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:9696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe"
3⤵
PID:9092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1720
3⤵
- Program crash
PID:10080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
PID:9260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe" -Force
2⤵
PID:9628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\0c444a573R804Dxd905a84eh97a7240cT7p5fcH3e0d8A\svchost.exe" -Force
2⤵
PID:9664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:9392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:9992

C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sheet.exe"
2⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1756
2⤵
- Program crash
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5806d8e44e28e9c4d2a9610721e19157

SHA1
4dad56be99b6b515c260a48f69902b9e8facbc47

SHA256
bea47a14aaf0ad4a07d4e18415fbfc549ec646b92c0dcef8599b88755f5af723

SHA512
b1addf8e93d3b12e84e66ba3955907cfbd1cb817c146bbf8596f9547a2b1ff92d4f61a8fb10f06dfdd858a5143cd8ab6270da4f40a6a5c593db7a9aa49880465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
91490fc7cd4d7c5012158a1c0e99344f

SHA1
33edf87d925606ec597c61c297016d854203049c

SHA256
44f9ed46d8cd7d0c23648b550418cffb74ea34b283238f1a6abf3ee6bc0d98b9

SHA512
4d91ab120350f344930edc69591e3847555a8d6461221e8b63ec78d30d1ab45f82d00543b910c961cffea175a43b9d28e8f38d33c465f224dba9ce96a42d7001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d784d91fe74827ca338be3f6a3c2cf4c

SHA1
8c16a2565ad828678a1a26e3b55a67a3c73b4a9c

SHA256
e65a4d3e7c9dbf67e21623f4f70faf893b2e54b06d52ba16ae02d08de304aafc

SHA512
9bc3bef794fcf4274c18ab922bfa4f7f1d8a4b51016e5ea056f025e7199203055b7f39abfdc56ded82d8e7fc8ecc93f087c9fa5e2e79883270803b6226b4162e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7ee6edf5e59da4c3ef26d761dc725473

SHA1
ca645dcf385ffc3be4eea6528e7086e23abc101b

SHA256
b294b9297d3ee8ee202d692d7ff80b8b0c025cfdaa215d586378074d55e37cb0

SHA512
b3b990130ac47f23afcccedcf116fcecf5124d63b268fc95b1dbef928fe906c8ffdab4178ed8f418ff2ed8b160fc341a03117540e3ddae1345d7194352b71ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
55cf2a3bd59387262f5f8b7a742c200e

SHA1
0b5657c2b4fd493ef4828a3d9c9899add0f7f428

SHA256
fdae9ff0cf8057f842828d1466ca8233b60609c20935ef88ecb5531bf7cbf4d7

SHA512
fc87b16a14bf590dd05590df41502317ee22911622315e3a9741b86d7329b11a6f0ef8002e85a8c5d09df7e43fae93d8b3b2c43bca668e2d3470a02c93a5958a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5c0192208b4162a8c94f1f3168477cd5

SHA1
bcc3b32243f03262d2e49b2ed26668d3215b0892

SHA256
af4c7a572b265ded7c33bb1334762d85904461e3d2fc307c63c602c8f6e46408

SHA512
d2346b2a37c87f1e06116f8a0fd586e298664bef555daf61ade76b465f6b72837c6d72affa04b03c84b51f8a4c4305a4f4a097df07cf96a6450bdeb9fca200b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
530816fea49c35a79e4bc21a56fe1c6b

SHA1
c76f40d56ef5f7bdf77cdff3051f0ac92df7fafe

SHA256
fb2a6f593b33bb614df56615fc697e6738070eaa5052496a57b3b04b60a1cd91

SHA512
51976740ccf97d9ea5923ad4fae83a10c6bbfe400bb3e3d693503673f8440915042d653b7b6bb9e1bf8a4cf5daf5c0b4817316b3becc8dcfb98840a3bfbb4404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7ee6edf5e59da4c3ef26d761dc725473

SHA1
ca645dcf385ffc3be4eea6528e7086e23abc101b

SHA256
b294b9297d3ee8ee202d692d7ff80b8b0c025cfdaa215d586378074d55e37cb0

SHA512
b3b990130ac47f23afcccedcf116fcecf5124d63b268fc95b1dbef928fe906c8ffdab4178ed8f418ff2ed8b160fc341a03117540e3ddae1345d7194352b71ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9b0b8bfdc4b27c1063099726c74f11b4

SHA1
35916c3facc491a16c0b6d8034b1650bbb43b0e4

SHA256
5006edeaac18c15173bfc0418a7f6bba461131692cf526b99c41aee5858e6f64

SHA512
d89b9738e8abcf509f742abd0898ef5489bc1bbff5ffa84aff3c676957132a3b6aa176204dcabb9421529501881ae73f58f98fbba00287333a1f2fb0a0215a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9b0b8bfdc4b27c1063099726c74f11b4

SHA1
35916c3facc491a16c0b6d8034b1650bbb43b0e4

SHA256
5006edeaac18c15173bfc0418a7f6bba461131692cf526b99c41aee5858e6f64

SHA512
d89b9738e8abcf509f742abd0898ef5489bc1bbff5ffa84aff3c676957132a3b6aa176204dcabb9421529501881ae73f58f98fbba00287333a1f2fb0a0215a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
50955d028244a9056e49c6edd2c9ff65

SHA1
dbd88db3b3ccb539c615ce42d2101764f19bb343

SHA256
f487a2a46629e96a069f495313a232c18c3f1627f8c1346a005bf8079251e740

SHA512
3524f10183ff1989aa04097d6b5d2c31516bdb8c4a23ddee02c9e2fc84bcc16ad492c82d6fe3858ca0d00e7eb2909b700a88541afba97ff14796e7b3dbd8f6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
805936ef35a927cdd79e710b8911415b

SHA1
6d64e2efc2b7f1f0874b6c97f2edfad3dd8995ed

SHA256
e0985a71671a91c5050afdee5acd41ae987e234f552745a90484b2cd74e52d98

SHA512
067d440aa8c52e2ef09a32641bb8e0d302b71b3fadce1a33466659739da2f371a0b636353b61d056a87c79f2d144cce15e5c01666036766cf7bcb953c77926ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ca45147512a03a6d96a8403595f23063

SHA1
5b422b0f0c08cdaa2b9aceaf25e9400669c59d93

SHA256
22198fb971259ab441ad38f4dadc2f022e433b95624fdc68ae7a78a8501a053a

SHA512
5d512515fe8bb5c5571faae059131dcd188a19957a35d3c1f36da4bdbdc8187bf89cb975b1fee88b5ddf72eed4aae64fb81ff0411c731405d7ed5e9b33b65047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7d552a288e6a454c395ee202ad25360b

SHA1
601adb9e8f1b203de2204a79b279fae749f19b99

SHA256
875a3e7c41de2f62b6aec9f7717cd44a112f05e72b56a29bc0923958f21eadf4

SHA512
01055d40f1ee48cb5089c1745f5d375fadc0e96bf540e4995d4119b83db2742b139e18c84d0874ab5ccdc5ba26a00f3298c01edc2d3527c1f6387e1207012511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d6920049e748160bfec564ecff083563

SHA1
eae1d0ae598efeab223804b1fa4bdefa2cdf2a09

SHA256
0f8cb2bebeae1d910e36efadc790af7b04e1d68be85a4d11f441f6b3da10ac63

SHA512
8cd6debab77733ef6c0254e31c27baf63e6f90f13cae41021218ed522ddafc6f2df28dcd24d4570754a9848db7b690e7e7ae8b145fe8e2b00e622c8d7d9b0d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d6920049e748160bfec564ecff083563

SHA1
eae1d0ae598efeab223804b1fa4bdefa2cdf2a09

SHA256
0f8cb2bebeae1d910e36efadc790af7b04e1d68be85a4d11f441f6b3da10ac63

SHA512
8cd6debab77733ef6c0254e31c27baf63e6f90f13cae41021218ed522ddafc6f2df28dcd24d4570754a9848db7b690e7e7ae8b145fe8e2b00e622c8d7d9b0d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e73177ed8df91d6b6b4db2fd78df718c

SHA1
ef3d18fcea605f9843ece5512ecd5fec7ccc5bd4

SHA256
0d9f579a2d3a45a5e1b3563d5ae42bd1b9309543b1a725667649c928f0cb3da0

SHA512
10f59eaf6a27751995e0a0dde2d6d595535516897d062c2bc61a31f3b78de5a988ad71914ece152459f55bc66a2e85769d82a1f50efeb6e81719d0f270ccf0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
e73177ed8df91d6b6b4db2fd78df718c

SHA1
ef3d18fcea605f9843ece5512ecd5fec7ccc5bd4

SHA256
0d9f579a2d3a45a5e1b3563d5ae42bd1b9309543b1a725667649c928f0cb3da0

SHA512
10f59eaf6a27751995e0a0dde2d6d595535516897d062c2bc61a31f3b78de5a988ad71914ece152459f55bc66a2e85769d82a1f50efeb6e81719d0f270ccf0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
01ad8401fca4744955c2d888edea068b

SHA1
b077b48e5a20af0502ba2345f90e4535dd619657

SHA256
3da9558cded8441fa29c7f56c758373b2065e5d705e9165077152eb61dc13043

SHA512
af6bfd241698844e076ffdc95907ceff6942a5a1d13ce21d2754c634a1d4a24765de4845c234ffa5e9f846f87c592531a0ee11bf6dcdf11b1d2293a1cc102d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9db1ddaab08fb2d3a40a0615c3c0afab

SHA1
865edde219f687e4e536e136f14e718a0d56212d

SHA256
7f1ed2e961014758881362152549d7dbab90a71704a3846a4260bf62b05c60b0

SHA512
eb2e5f212729d9c6edeabd3c2ec6317dfec17e31cfd798aaedd9a16bb704a3b78bc3177bb2664da16677f64a3c14b0e27deb42ec0eefcc1e939cbe81b4452b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9db1ddaab08fb2d3a40a0615c3c0afab

SHA1
865edde219f687e4e536e136f14e718a0d56212d

SHA256
7f1ed2e961014758881362152549d7dbab90a71704a3846a4260bf62b05c60b0

SHA512
eb2e5f212729d9c6edeabd3c2ec6317dfec17e31cfd798aaedd9a16bb704a3b78bc3177bb2664da16677f64a3c14b0e27deb42ec0eefcc1e939cbe81b4452b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9db1ddaab08fb2d3a40a0615c3c0afab

SHA1
865edde219f687e4e536e136f14e718a0d56212d

SHA256
7f1ed2e961014758881362152549d7dbab90a71704a3846a4260bf62b05c60b0

SHA512
eb2e5f212729d9c6edeabd3c2ec6317dfec17e31cfd798aaedd9a16bb704a3b78bc3177bb2664da16677f64a3c14b0e27deb42ec0eefcc1e939cbe81b4452b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c5aff1e7d4d7a433806237f9d320938e

SHA1
80577aa295919c2d3f9b456bedcb639a239e41b4

SHA256
3e5b7295bcf612e05ab66f3dbbafa0719a984ba3a163364cf26733e385848606

SHA512
e0da073f74f3c09af3c7c45293fb223a666fda865d43fc921afa0ffa9f111e266e393865158936f3801602b959e7e1227d5a512062e228bd777d2b6f5a2512c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c5aff1e7d4d7a433806237f9d320938e

SHA1
80577aa295919c2d3f9b456bedcb639a239e41b4

SHA256
3e5b7295bcf612e05ab66f3dbbafa0719a984ba3a163364cf26733e385848606

SHA512
e0da073f74f3c09af3c7c45293fb223a666fda865d43fc921afa0ffa9f111e266e393865158936f3801602b959e7e1227d5a512062e228bd777d2b6f5a2512c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
260cad0fe43bba89bc31cc104eb95aeb

SHA1
1b54e08331db4ef8986eefb5eb9b2f5d4c97281d

SHA256
cf12150b198ad062c57904423ee9c40c0727e588952c7d8c27ad2b33142bccd8

SHA512
222884d8ccb1cb8d604babe0c4cc626d4c5d364601355aedaeefe4bbd2c1b7872937a9bab5d68de99a22f3357e46ed38afa122ce2d8262271968d705d791f3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
260cad0fe43bba89bc31cc104eb95aeb

SHA1
1b54e08331db4ef8986eefb5eb9b2f5d4c97281d

SHA256
cf12150b198ad062c57904423ee9c40c0727e588952c7d8c27ad2b33142bccd8

SHA512
222884d8ccb1cb8d604babe0c4cc626d4c5d364601355aedaeefe4bbd2c1b7872937a9bab5d68de99a22f3357e46ed38afa122ce2d8262271968d705d791f3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
260cad0fe43bba89bc31cc104eb95aeb

SHA1
1b54e08331db4ef8986eefb5eb9b2f5d4c97281d

SHA256
cf12150b198ad062c57904423ee9c40c0727e588952c7d8c27ad2b33142bccd8

SHA512
222884d8ccb1cb8d604babe0c4cc626d4c5d364601355aedaeefe4bbd2c1b7872937a9bab5d68de99a22f3357e46ed38afa122ce2d8262271968d705d791f3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7afbd09f4b426a3b1a69c8954aff9969

SHA1
8c48a717fcfbf475195a567ab4b9e9dd0b8d5a06

SHA256
dc8ba8940169e1a013214c58af4e7eb69bdc0cef9b66be6dee887dc6422aaf02

SHA512
f9aacdd739b5fd89e44a22853c5dfd48c55c035fd7ccc5e6a6afb3f4ae11e3062486964f3834021763532388de5defa9b5f1dd1017df646318472834600dffed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
118899adf8f926ebcdc33b782a83e5be

SHA1
34e7064f67626e2f6d04171addcbbc221b01fa1b

SHA256
eb79102501f8485dd7d043f95a1067e7bacf069a7f4780bf2c347639fe60d1f1

SHA512
96f867767c91c292f280d54ada2957bf6f6e42f35c72eae25747bf0d7f889cec82f0b6a8ae4770b39e372c9a02eb0265c47702ddff21855e676ead79e63832db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6f397f78b27b56ff97a30838951a6bb4

SHA1
81006b31ec18d5526184e8c5cfa769adcf322e36

SHA256
588fdf172c50725199b7abd6d9f2aac1663479fbaea0f9e82b2cf4b0b7616713

SHA512
63259f0ad253af7544cf38ceca0d77f5197f2632386b931f0fda108eb0b6a4a1294ab57632863291711e1c2c22d65c841590e9da705e6d6c2815ffc1047b82bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
19abb5def0395fbe2bfbfedf882b3e5a

SHA1
8ae9aefae35adfba20ad3a85a3e4cb65b736085c

SHA256
0a16e3eb103a582f5e1979e1726eac39481b15eae279f28c0e47232e247b1bc1

SHA512
f5e511dbeec5a7024f12342d4dda2a478c931bdb450ab9e763103dbc7052f612f5a3ffa67863a5c909d82ef04fc226bfe1ad4bda8e18607f0618c245a42f9146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6f397f78b27b56ff97a30838951a6bb4

SHA1
81006b31ec18d5526184e8c5cfa769adcf322e36

SHA256
588fdf172c50725199b7abd6d9f2aac1663479fbaea0f9e82b2cf4b0b7616713

SHA512
63259f0ad253af7544cf38ceca0d77f5197f2632386b931f0fda108eb0b6a4a1294ab57632863291711e1c2c22d65c841590e9da705e6d6c2815ffc1047b82bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6f397f78b27b56ff97a30838951a6bb4

SHA1
81006b31ec18d5526184e8c5cfa769adcf322e36

SHA256
588fdf172c50725199b7abd6d9f2aac1663479fbaea0f9e82b2cf4b0b7616713

SHA512
63259f0ad253af7544cf38ceca0d77f5197f2632386b931f0fda108eb0b6a4a1294ab57632863291711e1c2c22d65c841590e9da705e6d6c2815ffc1047b82bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0c8a626263045c2ee2178a6ca39b45d4

SHA1
c44a76cf7cc4eced2655936f275071b264012c05

SHA256
34dce5b7fc80c8fef2a2ee1f595703680c0ad65bc16e353aaf313036252adb90

SHA512
bb822a45a8bc4fa7017c973b2863ae20a25cbc282ed007223137f36bb3794d7837851b7a39dad0aec2ae8dec6269638f8d535c2a604e430e0c36a7056362a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0c8a626263045c2ee2178a6ca39b45d4

SHA1
c44a76cf7cc4eced2655936f275071b264012c05

SHA256
34dce5b7fc80c8fef2a2ee1f595703680c0ad65bc16e353aaf313036252adb90

SHA512
bb822a45a8bc4fa7017c973b2863ae20a25cbc282ed007223137f36bb3794d7837851b7a39dad0aec2ae8dec6269638f8d535c2a604e430e0c36a7056362a639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
23293dbc1b8d99a36ffc798b62891ab8

SHA1
0358d135a3bec8607a8b4179ed7d4db7e2757f27

SHA256
8dd996524e007bb374523e7de202d036efb9c5e4f31cb10792d2a0797ad8b54f

SHA512
aff2a5c2beecc3db06e910f7535d5f569eff5acd021ed0e481424e9c65a2700036e97dd9bd312d493a659e297ac880da42aa8ef47c2eea13b093a1eb5cbe3906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
23293dbc1b8d99a36ffc798b62891ab8

SHA1
0358d135a3bec8607a8b4179ed7d4db7e2757f27

SHA256
8dd996524e007bb374523e7de202d036efb9c5e4f31cb10792d2a0797ad8b54f

SHA512
aff2a5c2beecc3db06e910f7535d5f569eff5acd021ed0e481424e9c65a2700036e97dd9bd312d493a659e297ac880da42aa8ef47c2eea13b093a1eb5cbe3906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
3462071069934100cdb24c0d963418db

SHA1
b29ccbe688b04b9b56c48976a2071cdc465aa2ea

SHA256
f2b354e6036daa41068c05fdacfd47bbfe293144f11152ca1ed4ea9ea2c39617

SHA512
c120c49261d3e367543ffbd7eab3cd4f037a721de3099db9e13e40cca9005249cfd2eb9405dbc755f3c661ae699ccbc2c6526c70f655f3db9bf6fc89c4e48838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
863708814bdca43889a9f9e4f684d766

SHA1
dbc137990badeb715fd39912d979abd47664ae58

SHA256
3c52cc64be5f7295fd3272935e27a232f6c5e9d6a4fbc8038c0e8931fd5523ed

SHA512
862d8cd15aac628017cd546d62ba059e449bf3545837f744b1275dd385d1e09329fc006b628862b12d7b2a9dc5f4ba90529623d007c41460209d3e53b0271696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
863708814bdca43889a9f9e4f684d766

SHA1
dbc137990badeb715fd39912d979abd47664ae58

SHA256
3c52cc64be5f7295fd3272935e27a232f6c5e9d6a4fbc8038c0e8931fd5523ed

SHA512
862d8cd15aac628017cd546d62ba059e449bf3545837f744b1275dd385d1e09329fc006b628862b12d7b2a9dc5f4ba90529623d007c41460209d3e53b0271696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
863708814bdca43889a9f9e4f684d766

SHA1
dbc137990badeb715fd39912d979abd47664ae58

SHA256
3c52cc64be5f7295fd3272935e27a232f6c5e9d6a4fbc8038c0e8931fd5523ed

SHA512
862d8cd15aac628017cd546d62ba059e449bf3545837f744b1275dd385d1e09329fc006b628862b12d7b2a9dc5f4ba90529623d007c41460209d3e53b0271696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
863708814bdca43889a9f9e4f684d766

SHA1
dbc137990badeb715fd39912d979abd47664ae58

SHA256
3c52cc64be5f7295fd3272935e27a232f6c5e9d6a4fbc8038c0e8931fd5523ed

SHA512
862d8cd15aac628017cd546d62ba059e449bf3545837f744b1275dd385d1e09329fc006b628862b12d7b2a9dc5f4ba90529623d007c41460209d3e53b0271696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5c507610861f680175c7c3a2ae479c05

SHA1
860129077e44d36f245d2f1e888cd5beaf380226

SHA256
31383323761e559db2aebcdaff7892a6fc76ad4d9c560d203696e68bafcefaed

SHA512
bf02584761037160c558457e4ca81356dd25b61290fac75b3d94c57f0a1d9a66bfb01fcd318cc887104f70a2b320d07a074075f2a010d7a36d7ef5f2513edde7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fc7df1ddd468b87132df03d6184a7662

SHA1
561e0f81b5d3f2067a6e342d1de45c9a37e866cc

SHA256
16ef2d91fafda7e5c2da919837b3ee88e2ea5a8cfc33083c3e653417884a602d

SHA512
9b6c9d0534c9ad8df39ec40b9185a5896fdc5e5ff732fa0be3ee3e1fc986571a25a0d5e32c18edad294d59a9cfbb75f25944e25d106468ce29c5402eaad2498b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7c651f4985cbe5eeefea6ed6f7439c9a

SHA1
ecaf8cf1b177d5040db89fb2bb42e5c38003d69f

SHA256
0dedbe4f0aa6c748216d05a7d1edadf17dbecf466cb501b3ebc348658992462c

SHA512
773ced5bf0b3b0d92cf1b038ec8e8e46663b1f25ea884b4abb7fb0866754bd17c6223b4b797c8cec858122a356c1eefa3d20a8531bf07172195a6e7166de9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7c651f4985cbe5eeefea6ed6f7439c9a

SHA1
ecaf8cf1b177d5040db89fb2bb42e5c38003d69f

SHA256
0dedbe4f0aa6c748216d05a7d1edadf17dbecf466cb501b3ebc348658992462c

SHA512
773ced5bf0b3b0d92cf1b038ec8e8e46663b1f25ea884b4abb7fb0866754bd17c6223b4b797c8cec858122a356c1eefa3d20a8531bf07172195a6e7166de9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7c651f4985cbe5eeefea6ed6f7439c9a

SHA1
ecaf8cf1b177d5040db89fb2bb42e5c38003d69f

SHA256
0dedbe4f0aa6c748216d05a7d1edadf17dbecf466cb501b3ebc348658992462c

SHA512
773ced5bf0b3b0d92cf1b038ec8e8e46663b1f25ea884b4abb7fb0866754bd17c6223b4b797c8cec858122a356c1eefa3d20a8531bf07172195a6e7166de9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7c651f4985cbe5eeefea6ed6f7439c9a

SHA1
ecaf8cf1b177d5040db89fb2bb42e5c38003d69f

SHA256
0dedbe4f0aa6c748216d05a7d1edadf17dbecf466cb501b3ebc348658992462c

SHA512
773ced5bf0b3b0d92cf1b038ec8e8e46663b1f25ea884b4abb7fb0866754bd17c6223b4b797c8cec858122a356c1eefa3d20a8531bf07172195a6e7166de9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7c651f4985cbe5eeefea6ed6f7439c9a

SHA1
ecaf8cf1b177d5040db89fb2bb42e5c38003d69f

SHA256
0dedbe4f0aa6c748216d05a7d1edadf17dbecf466cb501b3ebc348658992462c

SHA512
773ced5bf0b3b0d92cf1b038ec8e8e46663b1f25ea884b4abb7fb0866754bd17c6223b4b797c8cec858122a356c1eefa3d20a8531bf07172195a6e7166de9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2a1cb6d2c30db64af313cc8d62a51788

SHA1
15edea5102ab458a03d2111df94d284056a49e5e

SHA256
64ccc6bbaa96bc568cbd3817fc5105bd5a74c5ab7d5c6771eb5b745116eeb37f

SHA512
4c1c37dcfa46f53c6a76434377052fcf9f0c59e58c14212c962541e6625cf06e0dfcc7c2c256e1b19539a13c02da1c6ccedc22151bbe84a9b1f03fd2433ab9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2a1cb6d2c30db64af313cc8d62a51788

SHA1
15edea5102ab458a03d2111df94d284056a49e5e

SHA256
64ccc6bbaa96bc568cbd3817fc5105bd5a74c5ab7d5c6771eb5b745116eeb37f

SHA512
4c1c37dcfa46f53c6a76434377052fcf9f0c59e58c14212c962541e6625cf06e0dfcc7c2c256e1b19539a13c02da1c6ccedc22151bbe84a9b1f03fd2433ab9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2a1cb6d2c30db64af313cc8d62a51788

SHA1
15edea5102ab458a03d2111df94d284056a49e5e

SHA256
64ccc6bbaa96bc568cbd3817fc5105bd5a74c5ab7d5c6771eb5b745116eeb37f

SHA512
4c1c37dcfa46f53c6a76434377052fcf9f0c59e58c14212c962541e6625cf06e0dfcc7c2c256e1b19539a13c02da1c6ccedc22151bbe84a9b1f03fd2433ab9ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a969da22dd1e8c1cdbcfa0d82a1b3bdc

SHA1
18c5e3d0f66d3a89b1165b0049ae1e06cd1ee39c

SHA256
c7f971b5d42c6a8c2d31a4b2ccab2b1f44dccb1f2d770d3dda442ed95b78156c

SHA512
f9e395b14ef414ab9eea649688fa3c9f9c7bac9731c02da5a289bb5de89beebf30da8d2fd04d1ec5e813ef67b5bcb1855a225b0229f4ad57bbbea220ba0a6c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2a1cb6d2c30db64af313cc8d62a51788

SHA1
15edea5102ab458a03d2111df94d284056a49e5e

SHA256
64ccc6bbaa96bc568cbd3817fc5105bd5a74c5ab7d5c6771eb5b745116eeb37f

SHA512
4c1c37dcfa46f53c6a76434377052fcf9f0c59e58c14212c962541e6625cf06e0dfcc7c2c256e1b19539a13c02da1c6ccedc22151bbe84a9b1f03fd2433ab9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4de717-6335-4e07-bf67-a3b0afac93a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57ce907-960a-476f-8306-0a9563823349\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ua9ea19ce4Va7ea83fucAac58.exe
MD5
9bc1a47fdbd32cc92c94a9d1a84597ac

SHA1
63a5eb6563208137d12dd8fa4ede2e2c98e70033

SHA256
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8

SHA512
559eef9b71eee6eeeb56f8d87462cdea654248de58b5155ae50062c917afddca680970d32ec6dd3b1b67ab8fb7ba23d6b0cf2dc5b2a89b560347481446f6778f

Download Submit
memory/732-328-0x0000000000000000-mapping.dmp

Download
memory/1296-140-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1296-142-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/1296-259-0x0000000004503000-0x0000000004504000-memory.dmp

Filesize
4KB

Download
memory/1296-245-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

Filesize
4KB

Download
memory/1296-126-0x0000000000000000-mapping.dmp

Download
memory/1296-138-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1296-145-0x0000000004502000-0x0000000004503000-memory.dmp

Filesize
4KB

Download
memory/1744-163-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/1744-120-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/1744-114-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1744-116-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1744-117-0x00000000054C0000-0x000000000552E000-memory.dmp

Filesize
440KB

Download
memory/1744-118-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/1744-119-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/2236-282-0x0000000000000000-mapping.dmp

Download
memory/2716-128-0x0000000000000000-mapping.dmp

Download
memory/2716-279-0x0000000006E33000-0x0000000006E34000-memory.dmp

Filesize
4KB

Download
memory/2716-158-0x0000000006E32000-0x0000000006E33000-memory.dmp

Filesize
4KB

Download
memory/2716-153-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2716-276-0x000000007EAC0000-0x000000007EAC1000-memory.dmp

Filesize
4KB

Download
memory/2748-257-0x0000000004743000-0x0000000004744000-memory.dmp

Filesize
4KB

Download
memory/2748-254-0x000000007EC80000-0x000000007EC81000-memory.dmp

Filesize
4KB

Download
memory/2748-131-0x0000000000000000-mapping.dmp

Download
memory/2748-184-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2748-195-0x0000000004742000-0x0000000004743000-memory.dmp

Filesize
4KB

Download
memory/3044-134-0x0000000000000000-mapping.dmp

Download
memory/3044-192-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3576-124-0x0000000000000000-mapping.dmp

Download
memory/3636-225-0x0000000000000000-mapping.dmp

Download
memory/3636-231-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/3636-233-0x00000000064A2000-0x00000000064A3000-memory.dmp

Filesize
4KB

Download
memory/3784-198-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3784-141-0x0000000000000000-mapping.dmp

Download
memory/3784-199-0x0000000002942000-0x0000000002943000-memory.dmp

Filesize
4KB

Download
memory/3876-150-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/3876-189-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/3876-185-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3876-244-0x000000007F240000-0x000000007F241000-memory.dmp

Filesize
4KB

Download
memory/3876-155-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3876-193-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/3876-260-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/3876-197-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/3876-127-0x0000000000000000-mapping.dmp

Download
memory/3944-121-0x0000000000000000-mapping.dmp

Download
memory/4004-129-0x0000000000000000-mapping.dmp

Download
memory/4004-188-0x0000000006E22000-0x0000000006E23000-memory.dmp

Filesize
4KB

Download
memory/4004-181-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/4004-251-0x000000007FBC0000-0x000000007FBC1000-memory.dmp

Filesize
4KB

Download
memory/4004-246-0x0000000006E23000-0x0000000006E24000-memory.dmp

Filesize
4KB

Download
memory/4116-149-0x0000000000000000-mapping.dmp

Download
memory/4116-202-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/4116-205-0x0000000004102000-0x0000000004103000-memory.dmp

Filesize
4KB

Download
memory/4116-278-0x000000007EEE0000-0x000000007EEE1000-memory.dmp

Filesize
4KB

Download
memory/4188-183-0x0000000006B82000-0x0000000006B83000-memory.dmp

Filesize
4KB

Download
memory/4188-154-0x0000000000000000-mapping.dmp

Download
memory/4188-208-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/4188-277-0x000000007E2E0000-0x000000007E2E1000-memory.dmp

Filesize
4KB

Download
memory/4216-281-0x0000000000000000-mapping.dmp

Download
memory/4648-237-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/4648-238-0x0000000002F92000-0x0000000002F93000-memory.dmp

Filesize
4KB

Download
memory/4648-227-0x0000000000000000-mapping.dmp

Download
memory/4656-250-0x0000000004E42000-0x0000000004E43000-memory.dmp

Filesize
4KB

Download
memory/4656-242-0x0000000000000000-mapping.dmp

Download
memory/4656-249-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4672-191-0x0000000000000000-mapping.dmp

Download
memory/4680-228-0x0000000000000000-mapping.dmp

Download
memory/4680-239-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/4680-232-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4740-229-0x0000000000000000-mapping.dmp

Download
memory/4740-236-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/4740-234-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/4808-240-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/4808-235-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/4808-230-0x0000000000000000-mapping.dmp

Download
memory/4880-215-0x0000000000000000-mapping.dmp

Download
memory/5020-217-0x0000000000000000-mapping.dmp

Download
memory/5020-221-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/5020-220-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/5056-222-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/5056-223-0x0000000004FB2000-0x0000000004FB3000-memory.dmp

Filesize
4KB

Download
memory/5056-218-0x0000000000000000-mapping.dmp

Download
memory/5096-247-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/5096-248-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/5096-241-0x0000000000000000-mapping.dmp

Download
memory/5100-219-0x0000000000000000-mapping.dmp

Download
memory/5100-226-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/5100-224-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/5156-243-0x0000000000000000-mapping.dmp

Download
memory/5156-253-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/5156-256-0x0000000004DE2000-0x0000000004DE3000-memory.dmp

Filesize
4KB

Download
memory/5476-280-0x0000000000000000-mapping.dmp

Download
memory/5548-261-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/5548-252-0x0000000000000000-mapping.dmp

Download
memory/5548-262-0x0000000004262000-0x0000000004263000-memory.dmp

Filesize
4KB

Download
memory/5604-265-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/5604-255-0x0000000000000000-mapping.dmp

Download
memory/5604-263-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/5660-258-0x0000000000000000-mapping.dmp

Download
memory/5660-268-0x0000000006842000-0x0000000006843000-memory.dmp

Filesize
4KB

Download
memory/5660-267-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/5920-298-0x0000000000000000-mapping.dmp

Download
memory/5932-272-0x0000000006862000-0x0000000006863000-memory.dmp

Filesize
4KB

Download
memory/5932-270-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/5932-264-0x0000000000000000-mapping.dmp

Download
memory/5984-266-0x0000000000000000-mapping.dmp

Download
memory/5984-273-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/5984-274-0x0000000004162000-0x0000000004163000-memory.dmp

Filesize
4KB

Download
memory/6052-269-0x0000000000000000-mapping.dmp

Download
memory/6052-271-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/6052-275-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/6416-283-0x0000000000000000-mapping.dmp

Download
memory/6440-284-0x0000000000000000-mapping.dmp

Download
memory/6480-285-0x0000000000000000-mapping.dmp

Download
memory/6552-310-0x0000000000000000-mapping.dmp

Download
memory/6672-294-0x0000000000000000-mapping.dmp

Download
memory/6676-293-0x0000000000000000-mapping.dmp

Download
memory/6904-297-0x0000000000000000-mapping.dmp

Download
memory/6960-295-0x0000000000000000-mapping.dmp

Download
memory/6980-289-0x0000000000000000-mapping.dmp

Download
memory/7008-290-0x0000000000000000-mapping.dmp

Download
memory/7056-296-0x0000000000000000-mapping.dmp

Download
memory/7060-291-0x0000000000000000-mapping.dmp

Download
memory/7068-312-0x0000000000000000-mapping.dmp

Download
memory/7176-311-0x0000000000000000-mapping.dmp

Download
memory/7420-314-0x0000000000000000-mapping.dmp

Download
memory/7500-299-0x0000000000000000-mapping.dmp

Download
memory/7556-300-0x0000000000000000-mapping.dmp

Download
memory/7584-313-0x0000000000000000-mapping.dmp

Download
memory/7604-301-0x0000000000000000-mapping.dmp

Download
memory/8188-309-0x0000000000000000-mapping.dmp

Download
memory/8532-317-0x0000000000000000-mapping.dmp

Download
memory/8560-318-0x0000000000000000-mapping.dmp

Download
memory/8592-319-0x0000000000000000-mapping.dmp

Download
memory/8612-320-0x0000000000000000-mapping.dmp

Download
memory/8656-321-0x0000000000000000-mapping.dmp

Download
memory/8728-322-0x0000000000000000-mapping.dmp

Download
memory/9076-323-0x0000000000000000-mapping.dmp

Download
memory/9108-324-0x0000000000000000-mapping.dmp

Download
memory/9180-325-0x0000000000000000-mapping.dmp

Download