5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/10/2022, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
Size

536KB
MD5

0d7c11c2202fff468c4e9f8ed29b682d
SHA1

cd9e6dd5e7c55e9bebf9f184c6826f7548185006
SHA256

5736beeb3bcccf928f1520272f417f37c19758762b14819485c8a1bf6220b817
SHA512

0c6098cd61473090ecc8ec0f8f628149b93febdff7f2e0d553504c2703c420546ffd6abf6c02403a9088856d9e8cac6701ca52c09c94b79629f85b411f6c9e86
SSDEEP

6144:5B+pgUzkmJo/iXl2PfBanor7zs1fP/mz2Po9Row9AckGsePWy:5gLaiXBn87QRmio9CweGsdy

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wittols129\Snirkel.Gau	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microfarad\Dockside\Quags.ini	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	powershell.exe
816	powershell.exe
520	powershell.exe
1064	powershell.exe
868	powershell.exe
288	powershell.exe
1524	powershell.exe
1552	powershell.exe
1776	powershell.exe
580	powershell.exe
2028	powershell.exe
768	powershell.exe
1556	powershell.exe
284	powershell.exe
1900	powershell.exe
1736	powershell.exe
1776	powershell.exe
1748	powershell.exe
972	powershell.exe
2036	powershell.exe
1460	powershell.exe
1984	powershell.exe
1712	powershell.exe
1552	powershell.exe
268	powershell.exe
1200	powershell.exe
1228	powershell.exe
1116	powershell.exe
992	powershell.exe
1956	powershell.exe
2016	powershell.exe
1820	powershell.exe
1204	powershell.exe
1628	powershell.exe
2040	powershell.exe
2036	powershell.exe
1788	powershell.exe
1324	powershell.exe
1360	powershell.exe
1464	powershell.exe
1508	powershell.exe
1612	powershell.exe
280	powershell.exe
1740	powershell.exe
1800	powershell.exe
1044	powershell.exe
1360	powershell.exe
1464	powershell.exe
1508	powershell.exe
1612	powershell.exe
1724	powershell.exe
1760	powershell.exe
1496	powershell.exe
760	powershell.exe
1680	powershell.exe
1360	powershell.exe
796	powershell.exe
896	powershell.exe
1612	powershell.exe
1460	powershell.exe
1760	powershell.exe
820	powershell.exe
616	powershell.exe
1776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1712	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	26
PID 544 wrote to memory of 1712	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	26
PID 544 wrote to memory of 1712	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	26
PID 544 wrote to memory of 1712	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	26
PID 544 wrote to memory of 816	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	28
PID 544 wrote to memory of 816	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	28
PID 544 wrote to memory of 816	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	28
PID 544 wrote to memory of 816	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	28
PID 544 wrote to memory of 520	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	30
PID 544 wrote to memory of 520	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	30
PID 544 wrote to memory of 520	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	30
PID 544 wrote to memory of 520	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	30
PID 544 wrote to memory of 1064	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	32
PID 544 wrote to memory of 1064	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	32
PID 544 wrote to memory of 1064	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	32
PID 544 wrote to memory of 1064	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	32
PID 544 wrote to memory of 868	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	34
PID 544 wrote to memory of 868	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	34
PID 544 wrote to memory of 868	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	34
PID 544 wrote to memory of 868	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	34
PID 544 wrote to memory of 288	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	36
PID 544 wrote to memory of 288	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	36
PID 544 wrote to memory of 288	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	36
PID 544 wrote to memory of 288	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	36
PID 544 wrote to memory of 1524	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	38
PID 544 wrote to memory of 1524	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	38
PID 544 wrote to memory of 1524	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	38
PID 544 wrote to memory of 1524	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	38
PID 1524 wrote to memory of 1656	1524	powershell.exe	40
PID 1524 wrote to memory of 1656	1524	powershell.exe	40
PID 1524 wrote to memory of 1656	1524	powershell.exe	40
PID 1524 wrote to memory of 1656	1524	powershell.exe	40
PID 544 wrote to memory of 1056	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	41
PID 544 wrote to memory of 1056	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	41
PID 544 wrote to memory of 1056	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	41
PID 544 wrote to memory of 1056	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	41
PID 544 wrote to memory of 1552	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	43
PID 544 wrote to memory of 1552	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	43
PID 544 wrote to memory of 1552	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	43
PID 544 wrote to memory of 1552	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	43
PID 544 wrote to memory of 1776	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	45
PID 544 wrote to memory of 1776	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	45
PID 544 wrote to memory of 1776	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	45
PID 544 wrote to memory of 1776	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	45
PID 544 wrote to memory of 580	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	47
PID 544 wrote to memory of 580	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	47
PID 544 wrote to memory of 580	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	47
PID 544 wrote to memory of 580	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	47
PID 544 wrote to memory of 2028	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	49
PID 544 wrote to memory of 2028	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	49
PID 544 wrote to memory of 2028	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	49
PID 544 wrote to memory of 2028	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	49
PID 544 wrote to memory of 768	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	51
PID 544 wrote to memory of 768	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	51
PID 544 wrote to memory of 768	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	51
PID 544 wrote to memory of 768	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	51
PID 544 wrote to memory of 1556	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	53
PID 544 wrote to memory of 1556	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	53
PID 544 wrote to memory of 1556	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	53
PID 544 wrote to memory of 1556	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	53
PID 544 wrote to memory of 284	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	55
PID 544 wrote to memory of 284	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	55
PID 544 wrote to memory of 284	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	55
PID 544 wrote to memory of 284	544	SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe	55

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.62655029.2208.13021.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x70ECF671 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7EE5970D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0193E74D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5EC8D05A -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7DC0C85A -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7A81C91F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x499D8413 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 808
    3⤵
    PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1BC0840F -bxor 1000973375
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x4391940F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B99940F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B858456 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1B99881F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x4B899413 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1BC0840B -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1789CD1F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0BD19C0F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1789CD1F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B80CD11 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x499F8475 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x70ECF671 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7EE5970D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0193F256 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x49DDD15E -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x57E8C853 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x54CA8C56 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B85CD1F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0BD1950F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B99940F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1789CD1F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0BD1970F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B99881F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x52899447 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0F998D4F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x15DB9175 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x70ECF671 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7EE5970D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0193F75A -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x4FEFCD53 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5EF9CB56 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x55DDC14D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x13C0844D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0D858456 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1B9A920F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0B998413 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1BC0840F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x17C0840F -bxor 1000973375
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x12C08A4D -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0AE370EC -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF6717EE5 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x970D0193 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF65A5ACD -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE25657CC -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8C56499F -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x881F5289 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD60A1789 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xCD1F0BD1 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x950F0B99 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x940F1783 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xCD1F0B85 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x84561B99 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8D5615DB -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x95754EDA -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xC14D089B -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x9E0578C8 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xC8536CC0 -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xCA5B54DE -bxor 1000973375
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF44D54CA -bxor 1000973375
  2⤵
  PID:624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF31752DB -bxor 1000973375
  2⤵
  PID:2000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x911F17C0 -bxor 1000973375
  2⤵
  PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x840F17C0 -bxor 1000973375
  2⤵
  PID:828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x840F1789 -bxor 1000973375
  2⤵
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xCD1F0B85 -bxor 1000973375
  2⤵
  PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x84561B99 -bxor 1000973375
  2⤵
  PID:664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8D75486E -bxor 1000973375
  2⤵
  PID:1040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1FED72C7 -bxor 1000973375
  2⤵
  PID:1552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5913030C -bxor 1000973375
  2⤵
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA0DC4930 -bxor 1000973375
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5E6AB112 -bxor 1000973375
  2⤵
  PID:952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA869FD2D -bxor 1000973375
  2⤵
  PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8163D90B -bxor 1000973375
  2⤵
  PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x9F090233 -bxor 1000973375
  2⤵
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD0A9E755 -bxor 1000973375
  2⤵
  PID:640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x229D810F -bxor 1000973375
  2⤵
  PID:1616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2410D353 -bxor 1000973375
  2⤵
  PID:1652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x625C899A -bxor 1000973375
  2⤵
  PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0437EEFB -bxor 1000973375
  2⤵
  PID:1180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x83D7DDCA -bxor 1000973375
  2⤵
  PID:912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD3029AD5 -bxor 1000973375
  2⤵
  PID:692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xB5FF9AD0 -bxor 1000973375
  2⤵
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20F3AA47 -bxor 1000973375
  2⤵
  PID:1780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x40420693 -bxor 1000973375
  2⤵
  PID:1188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5617EEE3 -bxor 1000973375
  2⤵
  PID:1148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5AF778B5 -bxor 1000973375
  2⤵
  PID:1216
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xBFCA43F5 -bxor 1000973375
  2⤵
  PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xFAFBDC34 -bxor 1000973375
  2⤵
  PID:288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF8E0F73F -bxor 1000973375
  2⤵
  PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1E7A4AC1 -bxor 1000973375
  2⤵
  PID:1416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xBE66754E -bxor 1000973375
  2⤵
  PID:240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x85AF7026 -bxor 1000973375
  2⤵
  PID:584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F0B87CD -bxor 1000973375
  2⤵
  PID:1040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x572C62FB -bxor 1000973375
  2⤵
  PID:596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x796D0C5E -bxor 1000973375
  2⤵
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x472DE712 -bxor 1000973375
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x395AE50B -bxor 1000973375
  2⤵
  PID:1984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x784CEF98 -bxor 1000973375
  2⤵
  PID:1724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x678CBF8D -bxor 1000973375
  2⤵
  PID:916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD49C6014 -bxor 1000973375
  2⤵
  PID:1696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xBC5BE305 -bxor 1000973375
  2⤵
  PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xF530E7F2 -bxor 1000973375
  2⤵
  PID:584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x22EADF69 -bxor 1000973375
  2⤵
  PID:904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x73D8505F -bxor 1000973375
  2⤵
  PID:1120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA13F8C7D -bxor 1000973375
  2⤵
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE7A31AE8 -bxor 1000973375
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA8E25FB1 -bxor 1000973375
  2⤵
  PID:912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xCAD2F228 -bxor 1000973375
  2⤵
  PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x87DCA443 -bxor 1000973375
  2⤵
  PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x335EA7AC -bxor 1000973375
  2⤵
  PID:576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0E7AA977 -bxor 1000973375
  2⤵
  PID:1784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xBC91B093 -bxor 1000973375
  2⤵
  PID:1564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x9102B620 -bxor 1000973375
  2⤵
  PID:1556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA98E02F5 -bxor 1000973375
  2⤵
  PID:1156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD47A8112 -bxor 1000973375
  2⤵
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD1D24232 -bxor 1000973375
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3CBE9B20 -bxor 1000973375
  2⤵
  PID:912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE21753A4 -bxor 1000973375
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x209DDAE5 -bxor 1000973375
  2⤵
  PID:1308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA868B81B -bxor 1000973375
  2⤵
  PID:820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x39EBCA7 -bxor 1000973375
  2⤵
  PID:596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:568
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x -bxor 1000973375
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f389d445d4c5459ac9ccc0eb0359581

SHA1
6b7904794589d97efbc756043903fa94660efd13

SHA256
b2d4ad5f4d45a1679998d8583dceeb2143a0a28c137933dd63fb1bd050604992

SHA512
d9b9b322deb45cafa1d053e974f467a6a33469ae9c85dce39a26811fbe44afba0cecb71f613c13d181a63d9d4a381fe9cb551e09e6d4cada21708154a01afb65

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd82C9.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
memory/268-194-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/280-254-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/284-134-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/288-85-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/520-69-0x0000000073140000-0x00000000736EB000-memory.dmp

Filesize
5.7MB

Download
memory/544-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/580-111-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/580-112-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/760-288-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/768-123-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/796-297-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/816-64-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/868-80-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/972-161-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/992-208-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-264-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1064-75-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/1116-205-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1200-199-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-221-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-202-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-238-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-237-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-267-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-294-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1360-242-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1360-241-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1460-172-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-270-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-245-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-285-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-273-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-248-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1524-91-0x0000000073B50000-0x00000000740FB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-189-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-99-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-128-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-251-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-276-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1628-224-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-291-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-59-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-183-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-58-0x0000000073B90000-0x000000007413B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-279-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-145-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-257-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-156-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-282-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-150-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-105-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-104-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-234-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-233-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-261-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-218-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-139-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-212-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-178-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-215-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-209-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-117-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-167-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-230-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-227-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download