purecrypter | hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu

Analysis

max time kernel
234s
max time network
302s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

https://knickglobal.com/wp-admin/images/css/design/fabric/bo/Odcny.dll

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/3532-197-0x00000000073C0000-0x0000000007730000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

128 728 rundll32.exe
129 728 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

setup_ov2.exesetup_ov2.exesetup_ov2.exesetup_ov2.exe

pid process

3532 setup_ov2.exe
2816 setup_ov2.exe
4636 setup_ov2.exe
3328 setup_ov2.exe

flow	pid	process
128	728	rundll32.exe
129	728	rundll32.exe

pid	process
3532	setup_ov2.exe
2816	setup_ov2.exe
4636	setup_ov2.exe
3328	setup_ov2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CRM_chat_laucnher.exeCRM_chat_laucnher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	CRM_chat_laucnher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CRM_chat_laucnher.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	CRM_chat_laucnher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CRM_chat_laucnher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

setup_ov2.exe

description pid process target process

PID 3532 set thread context of 3328 3532 setup_ov2.exe setup_ov2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3532 set thread context of 3328	3532	setup_ov2.exe	setup_ov2.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\CRM_chat.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\CRM_chat.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exesetup_ov2.exepowershell.exepowershell.exe

pid	process
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
3532	setup_ov2.exe
3532	setup_ov2.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

firefox.exesetup_ov2.exepowershell.exesetup_ov2.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3520	firefox.exe
Token: SeDebugPrivilege	3532	setup_ov2.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2816	setup_ov2.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3520 firefox.exe
3520 firefox.exe
3520 firefox.exe
3520 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3520 firefox.exe
3520 firefox.exe
3520 firefox.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exeCRM_chat_laucnher.exeCRM_chat_laucnher.exesetup_ov2.exe

pid process

3520 firefox.exe
3520 firefox.exe
3520 firefox.exe
3520 firefox.exe
4076 CRM_chat_laucnher.exe
2708 CRM_chat_laucnher.exe
3328 setup_ov2.exe

pid	process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe

pid	process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe

pid	process
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
3520	firefox.exe
4076	CRM_chat_laucnher.exe
2708	CRM_chat_laucnher.exe
3328	setup_ov2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 2900 wrote to memory of 3520	2900	firefox.exe	firefox.exe
PID 3520 wrote to memory of 2668	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 2668	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4288	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe
PID 3520 wrote to memory of 4900	3520	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu
1⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.0.1887224618\1773620798" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1312 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 1612 gpu
3⤵
PID:2668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.3.190837136\2066203298" -childID 1 -isForBrowser -prefsHandle 2128 -prefMapHandle 2228 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 2260 tab
3⤵
PID:4288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.13.133382609\767440420" -childID 2 -isForBrowser -prefsHandle 3324 -prefMapHandle 3296 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3336 tab
3⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1052

C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe
"C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
PID:4612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:728

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:1608

C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe
"C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
3⤵
PID:2472

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
1⤵
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup_ov2.exe.log
Filesize
1KB

MD5
658b2f3422fc885820bba6ca90e08f7c

SHA1
bef4a36d52375e6f289e6abd2a3927e88aa4d1d6

SHA256
d05a71cf44ab8d2eb20b35972a827b2ef7370b3d2042372f7b0108b7299cf384

SHA512
aaf4e98e6c93e3572e561d97b43c00d4a6ec96f512cf78304af160d5989cc4c3b38482a9df848b5e485b7c7f7ececf8c9ad554a2b2a4e3ee6b43fa66755494af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
43KB

MD5
2f6ac24d06364a5031e78b8021d8603c

SHA1
74e4094c1bf84ec86e458007018b1f2a3cb075c2

SHA256
6886139b36f467b60f3c031db15c7f955f4cc6a89080e27d82ebab2a4d118875

SHA512
5c37758bc2373f5d10206012be3eb501b40784ddf54acbe4841a221b6f710b6f67a7bd832175bed151d9195f64814f1c9f5d85612ace3463abeb8703ca8da04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2537bc1565a1f1a0465c3417c3a8e8b5

SHA1
9da6ddb5d52ca0fcaf88b50f4fa4af8650dcea44

SHA256
abdb39731aa9457488355fb14536653db3efa5804bec8e0004683df7311bc090

SHA512
340c958263caf1b4ad6f55f8390834c4ffee020e90c998378ffc2cf8d7ba44eea5be74e269cab7907942d797530fc06ecdb6ffe69eb08952ba32567679752f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
cacc22b1a932361024618644e4b6e9f2

SHA1
b1f16b0a9fb6adce349ed26dd5066b70ad7ca844

SHA256
dd251d6d39f00344d3c6682c931ecb71b7a06d4e22f409aeb4577d90ba5782bd

SHA512
55afcba56db288f0e7984b816290a69a0ee84d2c4c4679ee8b9b263c96649131bd46c32020329f6b7c04a49d03fe2ebdda7222f3a8fe0a32c3b50105fe8cc2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
1.2MB

MD5
e608f26547589de3bc3fab23c33cf2dc

SHA1
2032c69c4fbea0758f0ac1f0028dc910cbd03ac3

SHA256
a4acbc1cc9bcf9aacec24f93b43c8dbde289936589af61bf279a199766c5f7dd

SHA512
2e042f0f85037c3f0082502e682c05c32ecd3705f6b97abe099e5f3f56c43ac63bd9c4b760e815b9423ba98823c64d7e637358c6f811fffd25fcf55cd6a94619

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
233.1MB

MD5
69e4dc8cb3c2b02eb7a296b50571b0b9

SHA1
3efdb160153421c369bb0a44df562a3ccf484df0

SHA256
d9d14f939c04cadd22f83d18cb917e447a5b8743ed751c55e6246b9b4c0eef35

SHA512
2ccfc2c9bd57990950ed694590c5755c95d45329c1f53886f07aac3a5ae3ef9af2f45f11261afcbf08dd873bc801efb81e2bae2fa124e43a0300a1e9039cb015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
230.6MB

MD5
9214b63aa1e88761f8b03ae673213ade

SHA1
7f6738030eee1572102faf40b3091be827d4dbce

SHA256
195bc9c68454094977dbfb75100358fceff2239ca65cb7bb4cd5dd01ec79cd1f

SHA512
0c74ce033ca47165acbe5891bd00d4ee7be9742429e5c4a037c32a48ec42de954411e68dea5ca269c5eed4f32225913a51d4427d106f5362692382b33d002d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup_ov2.exe
Filesize
29.4MB

MD5
26397bd9762905a417cb3c7f5b289699

SHA1
1082310ebf4b0f5518d36463cba9438e2a341c13

SHA256
00c6541ef14052bc9aafdd9321031d888d1a6c998f89bf2598659b804cd28e82

SHA512
ec32114215a8f66b5db137de9385dc05bf583f36552930f76ab0720ca7a7b29cf813751f6842353e46bf92ee0d504fe1a04385986028aa9e6ab8e9597963b0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tperiuiu.tmp
Filesize
3.5MB

MD5
552c24c5983c8624f49cedd2695b43d7

SHA1
f86503b92829adf9c262172690000f06171ee253

SHA256
30d0e2421c18b22ff2d9128f0607043650a33f3ad7ac8d9a52578b914d4ad1f3

SHA512
986528217392730a66440fbef5a90dad4f2982445b7a2a8f15a8d73cc607633af0ec1b665101d2eddb3764fc9e53e625008d6bf1ec89d7bf54b9aa9de583ec62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
memory/728-499-0x0000000000000000-mapping.dmp

Download
memory/1004-1122-0x0000000000EF5FB0-mapping.dmp

Download
memory/1004-1276-0x0000000005730000-0x0000000006289000-memory.dmp

Filesize
11.3MB

Download
memory/1004-1316-0x0000000003200000-0x0000000003C39000-memory.dmp

Filesize
10.2MB

Download
memory/1004-1319-0x0000000005730000-0x0000000006289000-memory.dmp

Filesize
11.3MB

Download
memory/1356-515-0x0000000000000000-mapping.dmp

Download
memory/1608-1046-0x0000000000EF5FB0-mapping.dmp

Download
memory/1608-1194-0x0000000003210000-0x0000000003C49000-memory.dmp

Filesize
10.2MB

Download
memory/1608-1226-0x0000000005790000-0x00000000062E9000-memory.dmp

Filesize
11.3MB

Download
memory/2472-813-0x0000000000696DD8-mapping.dmp

Download
memory/2472-1357-0x00000000031C0000-0x0000000003D19000-memory.dmp

Filesize
11.3MB

Download
memory/2472-894-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/2472-1223-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/2472-1066-0x00000000031C0000-0x0000000003D19000-memory.dmp

Filesize
11.3MB

Download
memory/2624-799-0x0000000000000000-mapping.dmp

Download
memory/2816-469-0x0000000007770000-0x0000000007AC0000-memory.dmp

Filesize
3.3MB

Download
memory/2816-297-0x0000000000000000-mapping.dmp

Download
memory/2940-284-0x0000000007C30000-0x0000000007CA6000-memory.dmp

Filesize
472KB

Download
memory/2940-279-0x0000000007330000-0x000000000734C000-memory.dmp

Filesize
112KB

Download
memory/2940-251-0x0000000000FB0000-0x0000000000FE6000-memory.dmp

Filesize
216KB

Download
memory/2940-256-0x0000000006CD0000-0x00000000072F8000-memory.dmp

Filesize
6.2MB

Download
memory/2940-275-0x0000000006B60000-0x0000000006BC6000-memory.dmp

Filesize
408KB

Download
memory/2940-276-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/2940-211-0x0000000000000000-mapping.dmp

Download
memory/2940-280-0x0000000007B60000-0x0000000007BAB000-memory.dmp

Filesize
300KB

Download
memory/2940-295-0x0000000009260000-0x00000000098D8000-memory.dmp

Filesize
6.5MB

Download
memory/2940-296-0x0000000008990000-0x00000000089AA000-memory.dmp

Filesize
104KB

Download
memory/3328-711-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3328-712-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/3328-1373-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3328-443-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3328-1304-0x0000000003810000-0x0000000004369000-memory.dmp

Filesize
11.3MB

Download
memory/3328-366-0x0000000000696DD8-mapping.dmp

Download
memory/3328-991-0x0000000003810000-0x0000000004369000-memory.dmp

Filesize
11.3MB

Download
memory/3328-444-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/3532-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-182-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-197-0x00000000073C0000-0x0000000007730000-memory.dmp

Filesize
3.4MB

Download
memory/3532-198-0x0000000007880000-0x00000000078A2000-memory.dmp

Filesize
136KB

Download
memory/3532-200-0x0000000007DF0000-0x0000000008140000-memory.dmp

Filesize
3.3MB

Download
memory/3532-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-353-0x00000000082E0000-0x0000000008434000-memory.dmp

Filesize
1.3MB

Download
memory/3532-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-152-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/3532-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-115-0x0000000000000000-mapping.dmp

Download
memory/3532-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3532-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3940-865-0x0000000000000000-mapping.dmp

Download
memory/4612-348-0x0000000000000000-mapping.dmp

Download
memory/4680-1173-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/4680-1153-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/4680-700-0x00000000096A0000-0x0000000009734000-memory.dmp

Filesize
592KB

Download
memory/4680-688-0x0000000009350000-0x00000000093F5000-memory.dmp

Filesize
660KB

Download
memory/4680-669-0x0000000009120000-0x000000000913E000-memory.dmp

Filesize
120KB

Download
memory/4680-666-0x0000000009160000-0x0000000009193000-memory.dmp

Filesize
204KB

Download
memory/4680-613-0x0000000008530000-0x000000000857B000-memory.dmp

Filesize
300KB

Download
memory/4680-412-0x0000000000000000-mapping.dmp

Download