e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d

Analysis

max time kernel
93s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2022, 16:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
Size

46KB
MD5

7f08d617391f3052dcb93fd8237af942
SHA1

d87ef0b2d25c89aef81d48fe4fa70abbabcc5012
SHA256

e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d
SHA512

e7d26c95b51f3953c104007f2bc807c0b299015407be1b1a6e1e3ef880e4ee707aed336cae73063ff39c507600971e103c23e87d83ce53a5f5ab878dbd0ffab8
SSDEEP

768:u4KUgg3cQQIcXIKsyXbOfq1Ikmm5+8jqc+h820Buk+9bHyucMde:u4KUgg3cQOLbO8mIHAU

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
3372	splwow86.exe
4832	win_def.exe
3016	splwow32.exe
2684	mib.exe
2860	splwow86.exe
4900	win_def.exe
2400	splwow32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	splwow86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	splwow32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	splwow86.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	win_def.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	win_def.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ident.me
14	ident.me
21	ident.me

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\splwow86.exe	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
File created	C:\Windows\Help\mid	splwow86.exe
File opened for modification	C:\Windows\Help\Help\mid	splwow86.exe
File created	C:\Windows\Help\1	splwow86.exe
File opened for modification	C:\Windows\splwow86.exe	splwow32.exe
File opened for modification	C:\Windows\Help\GPU	mib.exe
File created	C:\Windows\Help\Help\mid	splwow86.exe
File created	C:\Windows\win_def.exe	splwow86.exe
File created	C:\Windows\Help\0	splwow86.exe
File created	C:\Windows\Help\3	splwow86.exe
File created	C:\Windows\Help\99	splwow32.exe
File opened for modification	C:\Windows\Help\5	splwow86.exe
File opened for modification	C:\Windows\Help\ip	splwow86.exe
File opened for modification	C:\Windows\DirectX.bat	splwow32.exe
File created	C:\Windows\Help\ip	splwow86.exe
File created	C:\Windows\Help\GPU	splwow86.exe
File created	C:\Windows\mib.exe	splwow86.exe
File created	C:\Windows\temp.exe	splwow86.exe
File created	C:\Windows\svchost0.exe	splwow86.exe
File created	C:\Windows\splwow86.exe	splwow32.exe
File opened for modification	C:\Windows\Help\ip	splwow86.exe
File created	C:\Windows\splwow32.exe	splwow86.exe
File created	C:\Windows\Help\2	splwow86.exe
File created	C:\Windows\Help\4	splwow86.exe
File created	C:\Windows\Help\5	splwow86.exe
File opened for modification	C:\Windows\Help\GPU	splwow86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
1400	taskkill.exe
3140	taskkill.exe
3992	taskkill.exe
3700	taskkill.exe
4292	taskkill.exe
3484	taskkill.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3212	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
3212	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
3372	splwow86.exe
4832	win_def.exe
4992	powershell.exe
4992	powershell.exe
4216	powershell.exe
4216	powershell.exe
3456	powershell.exe
3456	powershell.exe
988	powershell.exe
988	powershell.exe
3016	splwow32.exe
3016	splwow32.exe
3016	splwow32.exe
2684	mib.exe
2860	splwow86.exe
4900	win_def.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
628	powershell.exe
628	powershell.exe
628	powershell.exe
2400	splwow32.exe
2400	splwow32.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
1404	powershell.exe
1404	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
Token: SeDebugPrivilege	3372	splwow86.exe
Token: SeDebugPrivilege	4832	win_def.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3016	splwow32.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4832	win_def.exe
Token: SeSecurityPrivilege	4832	win_def.exe
Token: SeTakeOwnershipPrivilege	4832	win_def.exe
Token: SeLoadDriverPrivilege	4832	win_def.exe
Token: SeSystemProfilePrivilege	4832	win_def.exe
Token: SeSystemtimePrivilege	4832	win_def.exe
Token: SeProfSingleProcessPrivilege	4832	win_def.exe
Token: SeIncBasePriorityPrivilege	4832	win_def.exe
Token: SeCreatePagefilePrivilege	4832	win_def.exe
Token: SeBackupPrivilege	4832	win_def.exe
Token: SeRestorePrivilege	4832	win_def.exe
Token: SeShutdownPrivilege	4832	win_def.exe
Token: SeDebugPrivilege	4832	win_def.exe
Token: SeSystemEnvironmentPrivilege	4832	win_def.exe
Token: SeRemoteShutdownPrivilege	4832	win_def.exe
Token: SeUndockPrivilege	4832	win_def.exe
Token: SeManageVolumePrivilege	4832	win_def.exe
Token: 33	4832	win_def.exe
Token: 34	4832	win_def.exe
Token: 35	4832	win_def.exe
Token: 36	4832	win_def.exe
Token: SeIncreaseQuotaPrivilege	4832	win_def.exe
Token: SeSecurityPrivilege	4832	win_def.exe
Token: SeTakeOwnershipPrivilege	4832	win_def.exe
Token: SeLoadDriverPrivilege	4832	win_def.exe
Token: SeSystemProfilePrivilege	4832	win_def.exe
Token: SeSystemtimePrivilege	4832	win_def.exe
Token: SeProfSingleProcessPrivilege	4832	win_def.exe
Token: SeIncBasePriorityPrivilege	4832	win_def.exe
Token: SeCreatePagefilePrivilege	4832	win_def.exe
Token: SeBackupPrivilege	4832	win_def.exe
Token: SeRestorePrivilege	4832	win_def.exe
Token: SeShutdownPrivilege	4832	win_def.exe
Token: SeDebugPrivilege	4832	win_def.exe
Token: SeSystemEnvironmentPrivilege	4832	win_def.exe
Token: SeRemoteShutdownPrivilege	4832	win_def.exe
Token: SeUndockPrivilege	4832	win_def.exe
Token: SeManageVolumePrivilege	4832	win_def.exe
Token: 33	4832	win_def.exe
Token: 34	4832	win_def.exe
Token: 35	4832	win_def.exe
Token: 36	4832	win_def.exe
Token: SeDebugPrivilege	2684	mib.exe
Token: SeDebugPrivilege	2860	splwow86.exe
Token: SeIncreaseQuotaPrivilege	4832	win_def.exe
Token: SeSecurityPrivilege	4832	win_def.exe
Token: SeTakeOwnershipPrivilege	4832	win_def.exe
Token: SeLoadDriverPrivilege	4832	win_def.exe
Token: SeSystemProfilePrivilege	4832	win_def.exe
Token: SeSystemtimePrivilege	4832	win_def.exe
Token: SeProfSingleProcessPrivilege	4832	win_def.exe
Token: SeIncBasePriorityPrivilege	4832	win_def.exe
Token: SeCreatePagefilePrivilege	4832	win_def.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3372	3212	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe	82
PID 3212 wrote to memory of 3372	3212	e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe	82
PID 3372 wrote to memory of 4832	3372	splwow86.exe	86
PID 3372 wrote to memory of 4832	3372	splwow86.exe	86
PID 3372 wrote to memory of 1400	3372	splwow86.exe	88
PID 3372 wrote to memory of 1400	3372	splwow86.exe	88
PID 4832 wrote to memory of 4992	4832	win_def.exe	90
PID 4832 wrote to memory of 4992	4832	win_def.exe	90
PID 4832 wrote to memory of 4216	4832	win_def.exe	91
PID 4832 wrote to memory of 4216	4832	win_def.exe	91
PID 4832 wrote to memory of 3456	4832	win_def.exe	93
PID 4832 wrote to memory of 3456	4832	win_def.exe	93
PID 4832 wrote to memory of 988	4832	win_def.exe	94
PID 4832 wrote to memory of 988	4832	win_def.exe	94
PID 3372 wrote to memory of 3140	3372	splwow86.exe	96
PID 3372 wrote to memory of 3140	3372	splwow86.exe	96
PID 3372 wrote to memory of 3016	3372	splwow86.exe	98
PID 3372 wrote to memory of 3016	3372	splwow86.exe	98
PID 3016 wrote to memory of 3992	3016	splwow32.exe	100
PID 3016 wrote to memory of 3992	3016	splwow32.exe	100
PID 3016 wrote to memory of 2684	3016	splwow32.exe	101
PID 3016 wrote to memory of 2684	3016	splwow32.exe	101
PID 3016 wrote to memory of 2860	3016	splwow32.exe	102
PID 3016 wrote to memory of 2860	3016	splwow32.exe	102
PID 2860 wrote to memory of 4900	2860	splwow86.exe	103
PID 2860 wrote to memory of 4900	2860	splwow86.exe	103
PID 2860 wrote to memory of 3700	2860	splwow86.exe	105
PID 2860 wrote to memory of 3700	2860	splwow86.exe	105
PID 4900 wrote to memory of 3468	4900	win_def.exe	107
PID 4900 wrote to memory of 3468	4900	win_def.exe	107
PID 2684 wrote to memory of 696	2684	mib.exe	109
PID 2684 wrote to memory of 696	2684	mib.exe	109
PID 4900 wrote to memory of 628	4900	win_def.exe	110
PID 4900 wrote to memory of 628	4900	win_def.exe	110
PID 2684 wrote to memory of 2380	2684	mib.exe	111
PID 2684 wrote to memory of 2380	2684	mib.exe	111
PID 2860 wrote to memory of 4292	2860	splwow86.exe	112
PID 2860 wrote to memory of 4292	2860	splwow86.exe	112
PID 2860 wrote to memory of 2400	2860	splwow86.exe	113
PID 2860 wrote to memory of 2400	2860	splwow86.exe	113
PID 4900 wrote to memory of 2440	4900	win_def.exe	115
PID 4900 wrote to memory of 2440	4900	win_def.exe	115
PID 2400 wrote to memory of 3484	2400	splwow32.exe	116
PID 2400 wrote to memory of 3484	2400	splwow32.exe	116
PID 4900 wrote to memory of 1404	4900	win_def.exe	119
PID 4900 wrote to memory of 1404	4900	win_def.exe	119

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	win_def.exe

C:\Users\Admin\AppData\Local\Temp\e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe
"C:\Users\Admin\AppData\Local\Temp\e55b0fb3378fbfa632be751738fc4f6084a391e206873d05c9969225f94c158d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\splwow86.exe
  "C:\Windows\splwow86.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\win_def.exe
    "C:\Windows\win_def.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\hh.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Public
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:988
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /im file.exe /t /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- - C:\Windows\system32\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /im splwow32 /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- - C:\Windows\splwow32.exe
    "C:\Windows\splwow32.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /im splwow86.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3992
  - - C:\Windows\mib.exe
      "C:\Windows\mib.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get Capacity
        5⤵
        
        PID:696
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get Speed
        5⤵
        
        PID:2380
  - - C:\Windows\splwow86.exe
      "C:\Windows\splwow86.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\win_def.exe
        
        "C:\Windows\win_def.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Downloads
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\hh.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Public
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
    - - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /im file.exe /t /f
        5⤵
        Kills process with taskkill
        
        PID:3700
    - - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /im splwow32 /f
        5⤵
        Kills process with taskkill
        
        PID:4292
    - - C:\Windows\splwow32.exe
        
        "C:\Windows\splwow32.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /im splwow86.exe /f
        6⤵
        Kills process with taskkill
        
        PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\splwow86.exe.log

Filesize
4KB

MD5
15c33bedc4afbd1fa8ab646f77d6d7d4

SHA1
049363197d6daeb8e6a9fd2af99a9a8a13639fea

SHA256
9f94437a4dd2fc158a304c5c6de636e5603b024e7ff6fff0ec97a6e88c6c8c30

SHA512
a1f440556343d9d83dc9e5f29d2b75ecc4967ea47cb489257e19aac24dd459b1f93975f38850de4e65610e0253b1c9943049e551f896539d3c0bbe8ab7781a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\win_def.exe.log

Filesize
4KB

MD5
7045504205ac49814eb31b45aa5c95a2

SHA1
62c64e352c12fa1597e857f30c064a504fd7d706

SHA256
9602e4343a4a775aa7a398c72b9b2e72b837c8be8a5a178055c56543db29bf78

SHA512
0c9aea0099aeebcee06fc670fc9e13fb1c27e98426ea2eafe45516338a61d51aeb82217de5fdaf444ef9de6e5e83dd51449f3e9a149d7229c5e4f71784d2ec8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2253c665505da63342ef14dd8197f0b5

SHA1
466f37281031aea4ac775d9fb8e91489a85faf82

SHA256
27948dca356cfdff3a5480bdca63a66963505ad1bdc7ff42d1380bf418667436

SHA512
c45fd978256c168493b900ffddded099e0717068b772012bdebfcdcb2377f7a4adf2b968eb37125ed98fdcfb277c9f81fa02f90cfec60f4915d3027c27d7da0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0d8abf9638c74e2459427f0738f597a0

SHA1
7f0d7f08e3bab3736388f3db7e5cb5beb726ef4d

SHA256
cad3af71b0b153675d87318a3fd44524d95a1b158549e5dd94d64795972d9382

SHA512
52e226e566b0b3b3800538c452deccde78ca22fbc47139c34e9f35fc49c2549b44ac4e5c5debc0692251244757af6f2ab447cad4c28fa6a2711661c472ae7b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f545274ba19d9199a78f74cd05e8187

SHA1
4036cf78d3f310af42963c8f16ae27c5922b5dff

SHA256
3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

SHA512
b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab1c06eb58feaa4c391aca847a9d8c22

SHA1
7135120dfad41b4d64e675294e1b974891b3ee76

SHA256
3705f63962d11b61c726853043b5c47800b77b3392f8ef42921fb31514eeba8e

SHA512
8fe9947248e64b2cb94af62bc8126f4c13700254a17a204b58535cb9ad32919be5aeca0e745127ceb8c666dc3b3140bb406d7591b32531c6c3eb1771ee571edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Windows\Help\0

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\1

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\2

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\3

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\4

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\5

Filesize
1B

MD5
eccbc87e4b5ce2fe28308fd9f2a7baf3

SHA1
77de68daecd823babbb58edb1c8e14d7106e83bb

SHA256
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce

SHA512
3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

Download Submit
C:\Windows\Help\99

Filesize
1B

MD5
a87ff679a2f3e71d9181a67b7542122c

SHA1
1b6453892473a467d07372d45eb05abc2031647a

SHA256
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a

SHA512
a321d8b405e3ef2604959847b36d171eebebc4a8941dc70a4784935a4fca5d5813de84dfa049f06549aa61b20848c1633ce81b675286ea8fb53db240d831c568

Download Submit
C:\Windows\Help\GPU

Filesize
68B

MD5
caac31d027355bf7e9aac064c0ecda54

SHA1
05bd1300e21e1361108ca3fd05e3ce1984be5fae

SHA256
45bd7125a999074e2a7a96cdb3f06c2dbd8c45ecedbe9d65248e796a04764b8b

SHA512
7d59ea072f022c815996bb5783efa49215ab3df8035ecdf729ee476905353c7ff93f7d29b89bf8c84fc3e7833bf488191434e0934a4a8480d7427d9de33b0a32

Download Submit
C:\Windows\Help\GPU

Filesize
68B

MD5
caac31d027355bf7e9aac064c0ecda54

SHA1
05bd1300e21e1361108ca3fd05e3ce1984be5fae

SHA256
45bd7125a999074e2a7a96cdb3f06c2dbd8c45ecedbe9d65248e796a04764b8b

SHA512
7d59ea072f022c815996bb5783efa49215ab3df8035ecdf729ee476905353c7ff93f7d29b89bf8c84fc3e7833bf488191434e0934a4a8480d7427d9de33b0a32

Download Submit
C:\Windows\Help\GPU

Filesize
68B

MD5
caac31d027355bf7e9aac064c0ecda54

SHA1
05bd1300e21e1361108ca3fd05e3ce1984be5fae

SHA256
45bd7125a999074e2a7a96cdb3f06c2dbd8c45ecedbe9d65248e796a04764b8b

SHA512
7d59ea072f022c815996bb5783efa49215ab3df8035ecdf729ee476905353c7ff93f7d29b89bf8c84fc3e7833bf488191434e0934a4a8480d7427d9de33b0a32

Download Submit
C:\Windows\Help\Help\mid

Filesize
20B

MD5
ce5199dfdf76aea92e22fec9820d7b61

SHA1
1afaa22d3912f344484f17570d4c4fc197d58ec5

SHA256
f20bf1e9cbb5ecbf78ba7e4190c3f1e36f33d3e4df7fd50e318ebaba90a037d2

SHA512
049df95c6d014dd257a666e91763e7835bcb5136d7194a5fe53d5e112cf47793de6d623de325c0eb7995c62293382875f9d53116fbbfb2c7b6283c970fddbd08

Download Submit
C:\Windows\Help\ip

Filesize
12B

MD5
0146b97f1bf748301734071d33706ba1

SHA1
4fe8ed756a2e7d09499d962cb3ffd9a7d3e20495

SHA256
c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f

SHA512
34e2df58d22ddbc3b5d4355394232e71b8ec68c389d2a21d99981200ba80e3f90e4af3c56aef2d50b5042796d658e6ac9007450d4e32f0d8db43d167a59f0cfb

Download Submit
C:\Windows\Help\ip

Filesize
12B

MD5
0146b97f1bf748301734071d33706ba1

SHA1
4fe8ed756a2e7d09499d962cb3ffd9a7d3e20495

SHA256
c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f

SHA512
34e2df58d22ddbc3b5d4355394232e71b8ec68c389d2a21d99981200ba80e3f90e4af3c56aef2d50b5042796d658e6ac9007450d4e32f0d8db43d167a59f0cfb

Download Submit
C:\Windows\Help\mid

Filesize
20B

MD5
ce5199dfdf76aea92e22fec9820d7b61

SHA1
1afaa22d3912f344484f17570d4c4fc197d58ec5

SHA256
f20bf1e9cbb5ecbf78ba7e4190c3f1e36f33d3e4df7fd50e318ebaba90a037d2

SHA512
049df95c6d014dd257a666e91763e7835bcb5136d7194a5fe53d5e112cf47793de6d623de325c0eb7995c62293382875f9d53116fbbfb2c7b6283c970fddbd08

Download Submit
C:\Windows\mib.exe

Filesize
81KB

MD5
02ab492efdccff7eb7580ac797b204c8

SHA1
e5c6269146f63cc3d9ae9c1af8f67b5491cdf117

SHA256
64830a06a097219eaa23178ee147952e40dafc824f0a69fdd75d7f4e9642808d

SHA512
90672c295771a61ae37d95015b1db16500e9b7360c4afa1767f952f249034ee9a97d6b2bda739249d10e944f7c415c2c60161524658bf3f772c67cd2b4bb8285

Download Submit
C:\Windows\mib.exe

Filesize
81KB

MD5
02ab492efdccff7eb7580ac797b204c8

SHA1
e5c6269146f63cc3d9ae9c1af8f67b5491cdf117

SHA256
64830a06a097219eaa23178ee147952e40dafc824f0a69fdd75d7f4e9642808d

SHA512
90672c295771a61ae37d95015b1db16500e9b7360c4afa1767f952f249034ee9a97d6b2bda739249d10e944f7c415c2c60161524658bf3f772c67cd2b4bb8285

Download Submit
C:\Windows\splwow32.exe

Filesize
115KB

MD5
0d609004a5ec0bf0bb3b3f0993e863e4

SHA1
e25f5c67006833c4c0e97f466d5f85814796320c

SHA256
acb4d04dcfae8acc6da79933dd0e1ab5dd5097adeef6c13ded64c9c7b50eb9ec

SHA512
4dabbbfb3b23b702a5790268c163264df6a23c2a8e819d658ad0f78ee0808b3dad123927c3e33fb3b3eb1d17d48f647924cf2abf6c24d9da90bd39f77b2860f4

Download Submit
C:\Windows\splwow32.exe

Filesize
115KB

MD5
0d609004a5ec0bf0bb3b3f0993e863e4

SHA1
e25f5c67006833c4c0e97f466d5f85814796320c

SHA256
acb4d04dcfae8acc6da79933dd0e1ab5dd5097adeef6c13ded64c9c7b50eb9ec

SHA512
4dabbbfb3b23b702a5790268c163264df6a23c2a8e819d658ad0f78ee0808b3dad123927c3e33fb3b3eb1d17d48f647924cf2abf6c24d9da90bd39f77b2860f4

Download Submit
C:\Windows\splwow32.exe

Filesize
115KB

MD5
0d609004a5ec0bf0bb3b3f0993e863e4

SHA1
e25f5c67006833c4c0e97f466d5f85814796320c

SHA256
acb4d04dcfae8acc6da79933dd0e1ab5dd5097adeef6c13ded64c9c7b50eb9ec

SHA512
4dabbbfb3b23b702a5790268c163264df6a23c2a8e819d658ad0f78ee0808b3dad123927c3e33fb3b3eb1d17d48f647924cf2abf6c24d9da90bd39f77b2860f4

Download Submit
C:\Windows\splwow86.exe

Filesize
70KB

MD5
08e105822ad762ec3c31b4b743bedbc3

SHA1
d96e8c94751121ab2fad33150a06b6b077a04c90

SHA256
fba9be1892f9cd27ace102d88185db4b75768cbdd6caf3b242e29ed520421310

SHA512
084e8607686a784d65afb44e5bc82d08bc8b78b73d6ce7be2fb1a229e76f557182de5cd17dfdfacb46f1442d122c3cee4ba756e6792b48045e21bbd8bd6ec9b4

Download Submit
C:\Windows\splwow86.exe

Filesize
70KB

MD5
08e105822ad762ec3c31b4b743bedbc3

SHA1
d96e8c94751121ab2fad33150a06b6b077a04c90

SHA256
fba9be1892f9cd27ace102d88185db4b75768cbdd6caf3b242e29ed520421310

SHA512
084e8607686a784d65afb44e5bc82d08bc8b78b73d6ce7be2fb1a229e76f557182de5cd17dfdfacb46f1442d122c3cee4ba756e6792b48045e21bbd8bd6ec9b4

Download Submit
C:\Windows\splwow86.exe

Filesize
70KB

MD5
08e105822ad762ec3c31b4b743bedbc3

SHA1
d96e8c94751121ab2fad33150a06b6b077a04c90

SHA256
fba9be1892f9cd27ace102d88185db4b75768cbdd6caf3b242e29ed520421310

SHA512
084e8607686a784d65afb44e5bc82d08bc8b78b73d6ce7be2fb1a229e76f557182de5cd17dfdfacb46f1442d122c3cee4ba756e6792b48045e21bbd8bd6ec9b4

Download Submit
C:\Windows\splwow86.exe

Filesize
70KB

MD5
08e105822ad762ec3c31b4b743bedbc3

SHA1
d96e8c94751121ab2fad33150a06b6b077a04c90

SHA256
fba9be1892f9cd27ace102d88185db4b75768cbdd6caf3b242e29ed520421310

SHA512
084e8607686a784d65afb44e5bc82d08bc8b78b73d6ce7be2fb1a229e76f557182de5cd17dfdfacb46f1442d122c3cee4ba756e6792b48045e21bbd8bd6ec9b4

Download Submit
C:\Windows\win_def.exe

Filesize
61KB

MD5
6cffcdc038fb5fbae7aad8798bad2d3c

SHA1
c187d886435d735b57aff6fa79f2e2a4a80f2726

SHA256
3d0ed74c4947b7a723e8bb736260c23f12958103bf84d291036a8956343bf692

SHA512
abc3d654a06b46ff62ddbab739a5b78d2fcd18e230add6fdbc9366f3b16e5dbd18ca018a57b8c38bfc9488d73c21f5c21ba8188e0056872fddcfb07f6c478b1c

Download Submit
C:\Windows\win_def.exe

Filesize
61KB

MD5
6cffcdc038fb5fbae7aad8798bad2d3c

SHA1
c187d886435d735b57aff6fa79f2e2a4a80f2726

SHA256
3d0ed74c4947b7a723e8bb736260c23f12958103bf84d291036a8956343bf692

SHA512
abc3d654a06b46ff62ddbab739a5b78d2fcd18e230add6fdbc9366f3b16e5dbd18ca018a57b8c38bfc9488d73c21f5c21ba8188e0056872fddcfb07f6c478b1c

Download Submit
C:\Windows\win_def.exe

Filesize
61KB

MD5
6cffcdc038fb5fbae7aad8798bad2d3c

SHA1
c187d886435d735b57aff6fa79f2e2a4a80f2726

SHA256
3d0ed74c4947b7a723e8bb736260c23f12958103bf84d291036a8956343bf692

SHA512
abc3d654a06b46ff62ddbab739a5b78d2fcd18e230add6fdbc9366f3b16e5dbd18ca018a57b8c38bfc9488d73c21f5c21ba8188e0056872fddcfb07f6c478b1c

Download Submit
memory/628-214-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/628-205-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/988-167-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/988-161-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/1404-227-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2400-213-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2400-229-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2440-221-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2440-223-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2684-186-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2684-175-0x0000000000210000-0x000000000022A000-memory.dmp

Filesize
104KB

Download
memory/2684-220-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2684-208-0x000000001E660000-0x000000001E672000-memory.dmp

Filesize
72KB

Download
memory/2684-182-0x000000001DC80000-0x000000001DCAA000-memory.dmp

Filesize
168KB

Download
memory/2684-183-0x000000001DC80000-0x000000001DCA4000-memory.dmp

Filesize
144KB

Download
memory/2860-212-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-181-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3016-180-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3016-165-0x0000000000DE0000-0x0000000000E04000-memory.dmp

Filesize
144KB

Download
memory/3016-170-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3212-139-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3212-132-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/3212-134-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3212-133-0x000000001CC80000-0x000000001CCA2000-memory.dmp

Filesize
136KB

Download
memory/3372-141-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3372-140-0x000000001EA80000-0x000000001EC42000-memory.dmp

Filesize
1.8MB

Download
memory/3372-166-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3372-138-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/3456-157-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3468-202-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3468-198-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4216-154-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4216-153-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4832-188-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4832-219-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4832-148-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4832-145-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/4900-226-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4900-196-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4900-231-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/4992-149-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download