nanocore | 4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

Analysis

max time kernel
37s
max time network
135s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-10-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT-SWIFTCOPY.exe
Size

391KB
MD5

788c7a25b15a7263c24c4060f0c0df6a
SHA1

c28333f296ea281d90610a0866d5cdb8885fc34b
SHA256

4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad
SHA512

eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

doc-file.ddns.net:9829

127.0.0.1:9829

Mutex

488a14cf-6a5f-44f7-91cc-ed29cde2cc8c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-05T13:51:06.259902836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9829
default_group
PAYMENT-SWIFTCOPY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
488a14cf-6a5f-44f7-91cc-ed29cde2cc8c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
doc-file.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exeAdvancedRun.exeAdvancedRun.exe

pid process

824 AdvancedRun.exe
708 AdvancedRun.exe
3912 ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
4120 AdvancedRun.exe
2068 AdvancedRun.exe

Drops startup file 2 IoCs

Processes:

PAYMENT-SWIFTCOPY.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	PAYMENT-SWIFTCOPY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	PAYMENT-SWIFTCOPY.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

PAYMENT-SWIFTCOPY.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe = "0"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe = "0"	PAYMENT-SWIFTCOPY.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	regsvcs.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PAYMENT-SWIFTCOPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

pid	process
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	pid	process	target process
PID 4160 set thread context of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 3912 set thread context of 2868	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	regsvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	regsvcs.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	regsvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe	PAYMENT-SWIFTCOPY.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2320 4160 WerFault.exe PAYMENT-SWIFTCOPY.exe
4964 3912 WerFault.exe ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1480 schtasks.exe
4428 schtasks.exe

pid	pid_target	process	target process
2320	4160	WerFault.exe	PAYMENT-SWIFTCOPY.exe
4964	3912	WerFault.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

pid	process
1480	schtasks.exe
4428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePAYMENT-SWIFTCOPY.exeWerFault.exeAdvancedRun.exeAdvancedRun.exeregsvcs.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

pid	process
824	AdvancedRun.exe
824	AdvancedRun.exe
824	AdvancedRun.exe
824	AdvancedRun.exe
708	AdvancedRun.exe
708	AdvancedRun.exe
708	AdvancedRun.exe
708	AdvancedRun.exe
1972	powershell.exe
1668	powershell.exe
2596	powershell.exe
2888	powershell.exe
1448	powershell.exe
2324	powershell.exe
1252	powershell.exe
4824	powershell.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
4160	PAYMENT-SWIFTCOPY.exe
2596	powershell.exe
1448	powershell.exe
2888	powershell.exe
1972	powershell.exe
1252	powershell.exe
2324	powershell.exe
1668	powershell.exe
4824	powershell.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
4120	AdvancedRun.exe
4120	AdvancedRun.exe
4120	AdvancedRun.exe
4120	AdvancedRun.exe
2068	AdvancedRun.exe
2068	AdvancedRun.exe
2068	AdvancedRun.exe
2068	AdvancedRun.exe
1252	powershell.exe
1448	powershell.exe
1668	powershell.exe
2324	powershell.exe
2888	powershell.exe
4824	powershell.exe
2596	powershell.exe
1972	powershell.exe
1124	regsvcs.exe
1124	regsvcs.exe
1124	regsvcs.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeAdvancedRun.exeAdvancedRun.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeAdvancedRun.exeAdvancedRun.exeregsvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4160	PAYMENT-SWIFTCOPY.exe
Token: SeDebugPrivilege	824	AdvancedRun.exe
Token: SeImpersonatePrivilege	824	AdvancedRun.exe
Token: SeDebugPrivilege	708	AdvancedRun.exe
Token: SeImpersonatePrivilege	708	AdvancedRun.exe
Token: SeDebugPrivilege	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeRestorePrivilege	2320	WerFault.exe
Token: SeBackupPrivilege	2320	WerFault.exe
Token: SeBackupPrivilege	2320	WerFault.exe
Token: SeDebugPrivilege	2320	WerFault.exe
Token: SeDebugPrivilege	4120	AdvancedRun.exe
Token: SeImpersonatePrivilege	4120	AdvancedRun.exe
Token: SeDebugPrivilege	2068	AdvancedRun.exe
Token: SeImpersonatePrivilege	2068	AdvancedRun.exe
Token: SeDebugPrivilege	1124	regsvcs.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeAdvancedRun.exeregsvcs.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exeAdvancedRun.exe

description	pid	process	target process
PID 4160 wrote to memory of 824	4160	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 4160 wrote to memory of 824	4160	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 4160 wrote to memory of 824	4160	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 824 wrote to memory of 708	824	AdvancedRun.exe	AdvancedRun.exe
PID 824 wrote to memory of 708	824	AdvancedRun.exe	AdvancedRun.exe
PID 824 wrote to memory of 708	824	AdvancedRun.exe	AdvancedRun.exe
PID 4160 wrote to memory of 1448	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1448	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1448	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1668	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1668	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1668	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1972	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1972	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1972	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2596	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2596	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2596	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2888	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2888	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2888	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 3912	4160	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 4160 wrote to memory of 3912	4160	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 4160 wrote to memory of 3912	4160	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 4160 wrote to memory of 1252	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1252	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1252	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2324	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2324	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 2324	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 4824	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 4824	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 4824	4160	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 4160 wrote to memory of 1124	4160	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1124 wrote to memory of 1480	1124	regsvcs.exe	schtasks.exe
PID 1124 wrote to memory of 1480	1124	regsvcs.exe	schtasks.exe
PID 1124 wrote to memory of 1480	1124	regsvcs.exe	schtasks.exe
PID 3912 wrote to memory of 4120	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 3912 wrote to memory of 4120	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 3912 wrote to memory of 4120	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 4120 wrote to memory of 2068	4120	AdvancedRun.exe	AdvancedRun.exe
PID 4120 wrote to memory of 2068	4120	AdvancedRun.exe	AdvancedRun.exe
PID 4120 wrote to memory of 2068	4120	AdvancedRun.exe	AdvancedRun.exe
PID 1124 wrote to memory of 4428	1124	regsvcs.exe	schtasks.exe
PID 1124 wrote to memory of 4428	1124	regsvcs.exe	schtasks.exe
PID 1124 wrote to memory of 4428	1124	regsvcs.exe	schtasks.exe
PID 3912 wrote to memory of 4804	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 4804	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 4804	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 3772	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 3772	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 3772	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 4840	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 4840	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 4840	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 604	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe
PID 3912 wrote to memory of 604	3912	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exePAYMENT-SWIFTCOPY.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PAYMENT-SWIFTCOPY.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe"
1⤵
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4160
- C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe" /SpecialRun 4101d8 824
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe" /SpecialRun 4101d8 4120
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    PID:604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
    3⤵
    PID:1308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 2420
    3⤵
    - Program crash
    PID:4964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D70.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1480
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A90.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 2592
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
86ceaa1de67755d7a9877e857049140d

SHA1
cb8d266924a38846890aaecc1a4fd65b83ba5f2e

SHA256
d0f7c5664c59315398a2c9f4d3e3c0a33ea6c45e60c01ea9b2e8449769c7d3e1

SHA512
50596227c43eb10b67123d4035f9f87c3abc836ff7c097d72dd8fc5a559819a898faa0a23c9fb3e73976f8577049b4d9885d48a74129c0d7620373f7c31a6b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
9b24276aef9d13958a28c3a55f850cc5

SHA1
16b42a22e34a3705df5800bdfd21fe0235994e55

SHA256
f189bd3c04c5a4836774dc76fc89b28d3a852010d78cb8ef55f6663a8017b00b

SHA512
c65e5ce1e6d29b1c1753a3a44dad55cbf307bba5b052dd3e2ce7e26aaec1f1da5f36a5e2d900daae38d2f5fb5d735b81b504045c5f45d365f9c51b4f807486fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
3178cc56733beb3c79acea7ee4c292f5

SHA1
98df439453aa360bace4c6971615528b541112c4

SHA256
d4dabf38d393c2d13833afc30951ac45ac1416e228c875f6e4d40fb119a33d7c

SHA512
5f0b7840ea31f577d94924488eee9d8f741236bd4bae2417d684636f68e0e0801901b05c73939d27a40baba226ee5aeec41b4e0c47ca9da47fc01a1ef7d2f12f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
a5e6279d22eac8c2c30080e2fbe1b894

SHA1
25cabd9b5ebc7f82e19c9b98bc1cd098874a95cf

SHA256
9928038fb54ba2c85ed4ef52d2fb33253a43718c398f6c6f90d68cb7121e5203

SHA512
6bd1ce866b0de27f18260020f37cf5998ab80f6ccde500fed33f9c174b42bf86c19adb111bfe99033c741f783180f20d2cd702afd4e98fe960cdd749b4f74349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
a5e6279d22eac8c2c30080e2fbe1b894

SHA1
25cabd9b5ebc7f82e19c9b98bc1cd098874a95cf

SHA256
9928038fb54ba2c85ed4ef52d2fb33253a43718c398f6c6f90d68cb7121e5203

SHA512
6bd1ce866b0de27f18260020f37cf5998ab80f6ccde500fed33f9c174b42bf86c19adb111bfe99033c741f783180f20d2cd702afd4e98fe960cdd749b4f74349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
54b389a19d2d06a6b9ae17ba1c96fc5e

SHA1
1970cf5bf46da7bef8305ad3f8543cc310354c92

SHA256
e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b

SHA512
4c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
93cf1a517633e435e1aac2b6c8ecbc6b

SHA1
477a4192ef12cab0fac7a48fbacb091883ca55ee

SHA256
a214e902f9a0e968ab87ef70207b2bb45760cc8406af73e0f179299a3cef568b

SHA512
bf92b0593ed965d3af6666c4367b4cd06653b5e49ed28a9d65fbd90959154659bf0bdf45080936f7992c34d2fff1b4b28ab2b656f20c2ae0fc0729391d9ee88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
5cf46769234601ad2f475cce6492df02

SHA1
0f88b7c50a5b6650b60adcc1eb1daece6348a805

SHA256
3853078c4eb88e7cc4136a3395f96ba3446ab5515823280ca043c4d829fb3fe4

SHA512
89454065ff8d23ac8b4676de75c118fa4510b54da783472dc20971f148fd794ebf2d467a94d45bb14f3e7b11e580ecc49d7245bb9880af43a36a51323662ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
93cf1a517633e435e1aac2b6c8ecbc6b

SHA1
477a4192ef12cab0fac7a48fbacb091883ca55ee

SHA256
a214e902f9a0e968ab87ef70207b2bb45760cc8406af73e0f179299a3cef568b

SHA512
bf92b0593ed965d3af6666c4367b4cd06653b5e49ed28a9d65fbd90959154659bf0bdf45080936f7992c34d2fff1b4b28ab2b656f20c2ae0fc0729391d9ee88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
54b389a19d2d06a6b9ae17ba1c96fc5e

SHA1
1970cf5bf46da7bef8305ad3f8543cc310354c92

SHA256
e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b

SHA512
4c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
beccc2c1e14c1b5077ddd9999370afd4

SHA1
3ac40f2cfd11429d90c8bc2d538ae2fe90d3443e

SHA256
e6e3e971a2fff3b3dbe82ca93cf568de3a6fc35e97efa5fcf5136489ca9a50f4

SHA512
b1632788c62f0dc1386661afe600409e45048981a590ca587bd5df3fd14cc0b322734e58c220ae3408069486ceea9e30a3ad4a5fa7edc8b1cae382784ad20139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
beccc2c1e14c1b5077ddd9999370afd4

SHA1
3ac40f2cfd11429d90c8bc2d538ae2fe90d3443e

SHA256
e6e3e971a2fff3b3dbe82ca93cf568de3a6fc35e97efa5fcf5136489ca9a50f4

SHA512
b1632788c62f0dc1386661afe600409e45048981a590ca587bd5df3fd14cc0b322734e58c220ae3408069486ceea9e30a3ad4a5fa7edc8b1cae382784ad20139

Download Submit
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13c5362f-2488-4656-aa75-e33776b8eed3\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec4425f7-99d3-43dd-b3bc-bcceb3aca6d2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D70.tmp

MD5
2511f5150c45c9c6141788c8be9a44bd

SHA1
1e468ad16380d3b6a7268d7af2482f6259c8651d

SHA256
b95602df2c09914384788c97c9bca318fc50bb443de39b13fb2e45856a2fe065

SHA512
a638b54fbe899780f6dcee8a1859085bcfd2f2195c6db092811b8019c5f4969457ba80b80e3a31c16f4bc964e3c9afbcdf6141c3a2e8953ad209838de8ca1a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A90.tmp

MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

MD5
788c7a25b15a7263c24c4060f0c0df6a

SHA1
c28333f296ea281d90610a0866d5cdb8885fc34b

SHA256
4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

SHA512
eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

MD5
788c7a25b15a7263c24c4060f0c0df6a

SHA1
c28333f296ea281d90610a0866d5cdb8885fc34b

SHA256
4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

SHA512
eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Download Submit
memory/604-1522-0x0000000000C04000-0x0000000000C06000-memory.dmp

Filesize
8KB

Download
memory/604-1521-0x0000000000C03000-0x0000000000C04000-memory.dmp

Filesize
4KB

Download
memory/604-333-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/604-299-0x0000000000000000-mapping.dmp

Download
memory/604-370-0x0000000000C02000-0x0000000000C03000-memory.dmp

Filesize
4KB

Download
memory/604-1322-0x000000007EA30000-0x000000007EA31000-memory.dmp

Filesize
4KB

Download
memory/708-129-0x0000000000000000-mapping.dmp

Download
memory/824-126-0x0000000000000000-mapping.dmp

Download
memory/1124-214-0x000000000041E792-mapping.dmp

Download
memory/1124-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1124-296-0x0000000004FB0000-0x00000000054AE000-memory.dmp

Filesize
5.0MB

Download
memory/1124-242-0x0000000004FB0000-0x00000000054AE000-memory.dmp

Filesize
5.0MB

Download
memory/1252-392-0x000000007E690000-0x000000007E691000-memory.dmp

Filesize
4KB

Download
memory/1252-156-0x0000000000000000-mapping.dmp

Download
memory/1252-201-0x0000000006B02000-0x0000000006B03000-memory.dmp

Filesize
4KB

Download
memory/1252-520-0x0000000006B03000-0x0000000006B04000-memory.dmp

Filesize
4KB

Download
memory/1252-200-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/1252-181-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1252-180-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1308-380-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1308-1326-0x000000007E860000-0x000000007E861000-memory.dmp

Filesize
4KB

Download
memory/1308-426-0x0000000004352000-0x0000000004353000-memory.dmp

Filesize
4KB

Download
memory/1308-1523-0x0000000004353000-0x0000000004354000-memory.dmp

Filesize
4KB

Download
memory/1308-1524-0x0000000004354000-0x0000000004356000-memory.dmp

Filesize
8KB

Download
memory/1308-304-0x0000000000000000-mapping.dmp

Download
memory/1448-131-0x0000000000000000-mapping.dmp

Download
memory/1448-153-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/1448-455-0x000000007E840000-0x000000007E841000-memory.dmp

Filesize
4KB

Download
memory/1448-134-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1448-135-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1448-519-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

Filesize
4KB

Download
memory/1448-146-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1480-243-0x0000000000000000-mapping.dmp

Download
memory/1668-534-0x00000000069B3000-0x00000000069B4000-memory.dmp

Filesize
4KB

Download
memory/1668-410-0x000000007E870000-0x000000007E871000-memory.dmp

Filesize
4KB

Download
memory/1668-132-0x0000000000000000-mapping.dmp

Download
memory/1668-165-0x00000000069B2000-0x00000000069B3000-memory.dmp

Filesize
4KB

Download
memory/1668-138-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1668-136-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1668-157-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1972-399-0x000000007EC60000-0x000000007EC61000-memory.dmp

Filesize
4KB

Download
memory/1972-159-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1972-522-0x00000000067E3000-0x00000000067E4000-memory.dmp

Filesize
4KB

Download
memory/1972-133-0x0000000000000000-mapping.dmp

Download
memory/1972-142-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1972-149-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/1972-150-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/1972-141-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1972-140-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2068-263-0x0000000000000000-mapping.dmp

Download
memory/2324-183-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2324-217-0x00000000069F2000-0x00000000069F3000-memory.dmp

Filesize
4KB

Download
memory/2324-513-0x00000000069F3000-0x00000000069F4000-memory.dmp

Filesize
4KB

Download
memory/2324-209-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/2324-386-0x000000007EBF0000-0x000000007EBF1000-memory.dmp

Filesize
4KB

Download
memory/2324-166-0x0000000000000000-mapping.dmp

Download
memory/2324-182-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2596-171-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/2596-202-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/2596-191-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/2596-137-0x0000000000000000-mapping.dmp

Download
memory/2596-163-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/2596-419-0x000000007EAC0000-0x000000007EAC1000-memory.dmp

Filesize
4KB

Download
memory/2596-525-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/2596-158-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2596-154-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2868-320-0x000000000041E792-mapping.dmp

Download
memory/2868-437-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/2888-161-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2888-174-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/2888-164-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2888-529-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/2888-139-0x0000000000000000-mapping.dmp

Download
memory/2888-376-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/2888-169-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3772-313-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/3772-1283-0x000000007ECF0000-0x000000007ECF1000-memory.dmp

Filesize
4KB

Download
memory/3772-1508-0x00000000047B4000-0x00000000047B6000-memory.dmp

Filesize
8KB

Download
memory/3772-1507-0x00000000047B3000-0x00000000047B4000-memory.dmp

Filesize
4KB

Download
memory/3772-322-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3772-297-0x0000000000000000-mapping.dmp

Download
memory/3912-145-0x0000000000000000-mapping.dmp

Download
memory/3912-177-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4120-244-0x0000000000000000-mapping.dmp

Download
memory/4160-115-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4160-195-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/4160-125-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/4160-124-0x000000000C290000-0x000000000C291000-memory.dmp

Filesize
4KB

Download
memory/4160-123-0x0000000007950000-0x00000000079DB000-memory.dmp

Filesize
556KB

Download
memory/4160-119-0x0000000005610000-0x0000000005613000-memory.dmp

Filesize
12KB

Download
memory/4160-118-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4160-117-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4428-267-0x0000000000000000-mapping.dmp

Download
memory/4804-309-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4804-294-0x0000000000000000-mapping.dmp

Download
memory/4804-1502-0x0000000007254000-0x0000000007256000-memory.dmp

Filesize
8KB

Download
memory/4804-1501-0x0000000007253000-0x0000000007254000-memory.dmp

Filesize
4KB

Download
memory/4804-1182-0x000000007FA10000-0x000000007FA11000-memory.dmp

Filesize
4KB

Download
memory/4804-317-0x0000000007252000-0x0000000007253000-memory.dmp

Filesize
4KB

Download
memory/4824-175-0x0000000000000000-mapping.dmp

Download
memory/4824-184-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4824-526-0x0000000007423000-0x0000000007424000-memory.dmp

Filesize
4KB

Download
memory/4824-446-0x000000007E8D0000-0x000000007E8D1000-memory.dmp

Filesize
4KB

Download
memory/4824-186-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4824-219-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/4824-224-0x0000000007422000-0x0000000007423000-memory.dmp

Filesize
4KB

Download
memory/4840-1238-0x000000007E280000-0x000000007E281000-memory.dmp

Filesize
4KB

Download
memory/4840-298-0x0000000000000000-mapping.dmp

Download
memory/4840-315-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4840-328-0x00000000050B2000-0x00000000050B3000-memory.dmp

Filesize
4KB

Download
memory/4840-1506-0x00000000050B4000-0x00000000050B6000-memory.dmp

Filesize
8KB

Download
memory/4840-1505-0x00000000050B3000-0x00000000050B4000-memory.dmp

Filesize
4KB

Download