1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
Size

538KB
MD5

cf076544aff3cbb0eb54535796512501
SHA1

90e1716142a32a6deb17025ec8b43680c0bb5d02
SHA256

1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee
SHA512

7f1742feeb08a422990f6d4b4d837bebbc24b3052c270641221b548bc1f01b9717870332b3f9f9da45bc926b8d2ee6880d240c5a7b0643aac4c2b16b4bfb87a6
SSDEEP

6144:5B+pgUzkmJo/iXl2PfBanortNfjJjH2Il0kRYA6eI:5gLaiXBn8D1hy/

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wittols129\Snirkel.Gau	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microfarad\Dockside\Quags.ini	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	powershell.exe
1896	powershell.exe
1796	powershell.exe
620	powershell.exe
636	powershell.exe
1992	powershell.exe
1464	powershell.exe
1012	powershell.exe
1452	powershell.exe
1580	powershell.exe
1312	powershell.exe
1472	powershell.exe
620	powershell.exe
1980	powershell.exe
2008	powershell.exe
1556	powershell.exe
984	powershell.exe
1704	powershell.exe
1640	powershell.exe
1636	powershell.exe
636	powershell.exe
1168	powershell.exe
1604	powershell.exe
1956	powershell.exe
1688	powershell.exe
1456	powershell.exe
1844	powershell.exe
620	powershell.exe
868	powershell.exe
2008	powershell.exe
1604	powershell.exe
852	powershell.exe
1468	powershell.exe
572	powershell.exe
1976	powershell.exe
828	powershell.exe
916	powershell.exe
1528	powershell.exe
1096	powershell.exe
1956	powershell.exe
1704	powershell.exe
1472	powershell.exe
1728	powershell.exe
672	powershell.exe
952	powershell.exe
740	powershell.exe
1096	powershell.exe
1956	powershell.exe
1704	powershell.exe
1512	powershell.exe
1600	powershell.exe
1564	powershell.exe
1012	powershell.exe
1708	powershell.exe
1520	powershell.exe
1896	powershell.exe
1640	powershell.exe
648	powershell.exe
1992	powershell.exe
972	powershell.exe
792	powershell.exe
1692	powershell.exe
944	powershell.exe
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	26
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	26
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	26
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	26
PID 1416 wrote to memory of 1896	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	28
PID 1416 wrote to memory of 1896	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	28
PID 1416 wrote to memory of 1896	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	28
PID 1416 wrote to memory of 1896	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	28
PID 1416 wrote to memory of 1796	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	30
PID 1416 wrote to memory of 1796	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	30
PID 1416 wrote to memory of 1796	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	30
PID 1416 wrote to memory of 1796	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	30
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	32
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	32
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	32
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	32
PID 1416 wrote to memory of 636	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	34
PID 1416 wrote to memory of 636	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	34
PID 1416 wrote to memory of 636	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	34
PID 1416 wrote to memory of 636	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	34
PID 1416 wrote to memory of 1992	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	36
PID 1416 wrote to memory of 1992	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	36
PID 1416 wrote to memory of 1992	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	36
PID 1416 wrote to memory of 1992	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	36
PID 1416 wrote to memory of 1464	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	38
PID 1416 wrote to memory of 1464	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	38
PID 1416 wrote to memory of 1464	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	38
PID 1416 wrote to memory of 1464	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	38
PID 1416 wrote to memory of 1012	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	40
PID 1416 wrote to memory of 1012	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	40
PID 1416 wrote to memory of 1012	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	40
PID 1416 wrote to memory of 1012	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	40
PID 1416 wrote to memory of 1452	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	42
PID 1416 wrote to memory of 1452	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	42
PID 1416 wrote to memory of 1452	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	42
PID 1416 wrote to memory of 1452	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	42
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	44
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	44
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	44
PID 1416 wrote to memory of 1580	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	44
PID 1416 wrote to memory of 1312	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	46
PID 1416 wrote to memory of 1312	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	46
PID 1416 wrote to memory of 1312	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	46
PID 1416 wrote to memory of 1312	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	46
PID 1416 wrote to memory of 1472	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	48
PID 1416 wrote to memory of 1472	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	48
PID 1416 wrote to memory of 1472	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	48
PID 1416 wrote to memory of 1472	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	48
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	50
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	50
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	50
PID 1416 wrote to memory of 620	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	50
PID 1416 wrote to memory of 1980	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	52
PID 1416 wrote to memory of 1980	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	52
PID 1416 wrote to memory of 1980	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	52
PID 1416 wrote to memory of 1980	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	52
PID 1980 wrote to memory of 796	1980	powershell.exe	54
PID 1980 wrote to memory of 796	1980	powershell.exe	54
PID 1980 wrote to memory of 796	1980	powershell.exe	54
PID 1980 wrote to memory of 796	1980	powershell.exe	54
PID 1416 wrote to memory of 2008	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	55
PID 1416 wrote to memory of 2008	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	55
PID 1416 wrote to memory of 2008	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	55
PID 1416 wrote to memory of 2008	1416	1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe	55

C:\Users\Admin\AppData\Local\Temp\1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe
"C:\Users\Admin\AppData\Local\Temp\1b6d0b882374735f027935e16ab19cf0af734eeeaff3adf1b723ceee3e918fee.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0294CC97 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0C9DADEB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x73EBDDAB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2CB0EABC -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0FB8F2BC -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x08F9F3F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3BE5BEF5 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69B8BEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x31E9AEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79E1AEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79FDBEB0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69E1B2F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x39F1AEF5 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69B8BEED -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 796
    3⤵
    PID:796
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65F1F7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79A9A6E9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65F1F7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79F8F7F7 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3BE7BE93 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0294CC97 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0C9DADEB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x73EBC8B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3BA5EBB8 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2590F2B5 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x26B2B6B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79FDF7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79A9AFE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79E1AEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65F1F7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79A9ADE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79E1B2F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20F1AEA1 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7DE1B7A9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x67A3AB93 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0294CC97 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0C9DADEB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x73EBCDBC -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3D97F7B5 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C81F1B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x27A5FBAB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x61B8BEAB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7FFDBEB0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69E2A8E9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79E1BEF5 -bxor 1238474457
  2⤵
  PID:1780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69B8BEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65B8BEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x60B8B0AB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x789B0294 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0294CC97 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0C9DADEB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x73EBCCBC -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x28B5D8B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x25B4B6B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3BE7B2F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20F1ECEC -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65F1F7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79A9AFE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79E1AEE9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65FBF7F9 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79FDBEB0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 740
    3⤵
    PID:1920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69E1B7B0 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x67A3AF93 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3CA2FBAB -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7AE3A4E3 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x0AB0F2B5 -bxor 1238474457
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1EB8F0BD -bxor 1238474457
  2⤵
  PID:1096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x26A6CEAB -bxor 1238474457
  2⤵
  PID:1840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x26B2C9F1 -bxor 1238474457
  2⤵
  PID:324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20A3ABF9 -bxor 1238474457
  2⤵
  PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65B8BEE9 -bxor 1238474457
  2⤵
  PID:1964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65B8BEE9 -bxor 1238474457
  2⤵
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65F1F7F9 -bxor 1238474457
  2⤵
  PID:1164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x79FDBEB0 -bxor 1238474457
  2⤵
  PID:692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69E1B793 -bxor 1238474457
  2⤵
  PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA3860E33 -bxor 1238474457
  2⤵
  PID:1884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8943D424 -bxor 1238474457
  2⤵
  PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA88954D4 -bxor 1238474457
  2⤵
  PID:1364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x128BF861 -bxor 1238474457
  2⤵
  PID:1168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE7F1F11B -bxor 1238474457
  2⤵
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x878BDE9C -bxor 1238474457
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xC69FC036 -bxor 1238474457
  2⤵
  PID:1580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xA5641D39 -bxor 1238474457
  2⤵
  PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD5389107 -bxor 1238474457
  2⤵
  PID:1268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65DB6C21 -bxor 1238474457
  2⤵
  PID:1440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3D307A37 -bxor 1238474457
  2⤵
  PID:368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x612F3E7C -bxor 1238474457
  2⤵
  PID:1060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x68259A03 -bxor 1238474457
  2⤵
  PID:1072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xBD09A497 -bxor 1238474457
  2⤵
  PID:240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xED1FC933 -bxor 1238474457
  2⤵
  PID:1736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE3BE123C -bxor 1238474457
  2⤵
  PID:788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7A064D9E -bxor 1238474457
  2⤵
  PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7057CCBD -bxor 1238474457
  2⤵
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x8856A4BF -bxor 1238474457
  2⤵
  PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x5EF791E3 -bxor 1238474457
  2⤵
  PID:868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xC72AEDCE -bxor 1238474457
  2⤵
  PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6094F285 -bxor 1238474457
  2⤵
  PID:1596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x4F6B8961 -bxor 1238474457
  2⤵
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65E2ED58 -bxor 1238474457
  2⤵
  PID:1152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3277D431 -bxor 1238474457
  2⤵
  PID:1580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x90357A8D -bxor 1238474457
  2⤵
  PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x36CB1252 -bxor 1238474457
  2⤵
  PID:1292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x9383DBE4 -bxor 1238474457
  2⤵
  PID:1184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xE81AFBE3 -bxor 1238474457
  2⤵
  PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A93BF81 -bxor 1238474457
  2⤵
  PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69FB5FCD -bxor 1238474457
  2⤵
  PID:1604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3F48CD30 -bxor 1238474457
  2⤵
  PID:1740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x731BCC69 -bxor 1238474457
  2⤵
  PID:1164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x82EE3209 -bxor 1238474457
  2⤵
  PID:612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x622CA447 -bxor 1238474457
  2⤵
  PID:1520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x7DC27F53 -bxor 1238474457
  2⤵
  PID:592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x24FAEF14 -bxor 1238474457
  2⤵
  PID:1452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xB7D35321 -bxor 1238474457
  2⤵
  PID:1060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x033D1A41 -bxor 1238474457
  2⤵
  PID:740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x1AF16930 -bxor 1238474457
  2⤵
  PID:1456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C6375FC -bxor 1238474457
  2⤵
  PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x147E6E27 -bxor 1238474457
  2⤵
  PID:788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xEA560BF4 -bxor 1238474457
  2⤵
  PID:1648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x49622E76 -bxor 1238474457
  2⤵
  PID:324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x31738276 -bxor 1238474457
  2⤵
  PID:976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xB5E9CEBC -bxor 1238474457
  2⤵
  PID:1716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65E661AE -bxor 1238474457
  2⤵
  PID:1360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0xD3C175DD -bxor 1238474457
  2⤵
  PID:1068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x03843B47 -bxor 1238474457
  2⤵
  PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x623D207B -bxor 1238474457
  2⤵
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0779b257bcc4b40778481cb4d2cd8765

SHA1
c7b1aebb769b1a35845f5fc74f2b678e2246ada9

SHA256
822ffd3b11a15aa9a8a8fcfa13a2a6763b8393ffa7aa9b7e2c9780837e92dd40

SHA512
791c537fefaac3e9b46cc34884a7a1d97012fa98db07185a4a1d31649026e3f28641b5b1af7c4fd1fa74df75189c90f9f00578a7c405a9491d3d08c48fb3e4ac

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\System.dll

Filesize
11KB

MD5
fc3772787eb239ef4d0399680dcc4343

SHA1
db2fa99ec967178cd8057a14a428a8439a961a73

SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy53BE.tmp\nsExec.dll

Filesize
6KB

MD5
1b76bca7bef0f515d39f31e3c084f31d

SHA1
92705562f13db5967e66624286f8291477b7b217

SHA256
80b76b73d2d143b5db4e2d2e24438a68647ae96ac37289415c1caef5c2ed63d3

SHA512
eab2b02b4bdd421e9f4c8bc3ed42b2ff66cc1a2a7ce93a7fe0174bc92e55a6fbc51c0ea65070603208ffb54330cf3e772db5cc1a6c410efa52697e5f5bcc292d

Download Submit
memory/572-234-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/620-212-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/620-125-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/620-124-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/620-213-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/620-76-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/636-177-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/636-82-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/672-270-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/828-242-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/828-241-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/852-228-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/852-227-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/868-216-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/868-217-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/868-218-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/916-245-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/916-246-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/984-152-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-97-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-253-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-182-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1312-114-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1452-103-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1456-205-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1464-92-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1468-231-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-263-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-262-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-119-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-249-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-146-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-59-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-109-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1580-58-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-224-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-188-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-189-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-171-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-170-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-163-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-164-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-201-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-202-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-250-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-259-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-157-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-266-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-70-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-71-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1844-209-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1844-208-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-64-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-195-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-194-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-256-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-237-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-238-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-131-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-134-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-87-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-221-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-140-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-139-0x0000000073260000-0x000000007380B000-memory.dmp

Filesize
5.7MB

Download