16ac3a482344c61d1fed027db6a7b1265914084073dd32833596d514092c95d3

Analysis

max time kernel
101s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b542a76b-6268-4a42-4a31-08dbc9572082/5b1840db-7af9-d471-85e0-b44f6bac8668.eml
Size

870KB
MD5

55206913a8e517ea98eea0723a9af9d2
SHA1

f00560631ae009835ebc71a0e6183f61b18cb0cb
SHA256

bde691f02080f6933efaaa680b81e4317a8d46658791c8caa80441470fbf8315
SHA512

bbe00a026c14d819e537b4ca9b4abfba59106d096d9065d8ea18bea7bccda584376888a661cae750b140c60484fd7a4608988b816b7f2ea723714694124ba1d7
SSDEEP

24576:a1qj78QAz7eGVg1zpShvvr2y23/JmUbmQISro:rlAmGge2y23vmn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
368	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe

Loads dropped DLL 24 IoCs

pid	Process
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe
2024	Pensionisternes NA GOD.exe
368	Pensionisternes NA GOD.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	OUTLOOK.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016fe0-457.dat	nsis_installer_1
behavioral1/files/0x0006000000016fe0-457.dat	nsis_installer_2
behavioral1/files/0x0006000000016fe0-463.dat	nsis_installer_1
behavioral1/files/0x0006000000016fe0-463.dat	nsis_installer_2
behavioral1/files/0x0006000000016fe0-464.dat	nsis_installer_1
behavioral1/files/0x0006000000016fe0-464.dat	nsis_installer_2
behavioral1/files/0x0009000000019323-783.dat	nsis_installer_1
behavioral1/files/0x0009000000019323-783.dat	nsis_installer_2
behavioral1/files/0x0009000000019323-784.dat	nsis_installer_1
behavioral1/files/0x0009000000019323-784.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ = "Actions"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ = "PropertyPages"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ = "_DRecipientControl"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ = "_AddressRuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ = "OlkTimeControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación.rar:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación (2).rar\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\Desktop\AEAT - Aviso de Notificación.rar\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO0785B797\Pensionisternes NA GOD.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1624	OUTLOOK.EXE
1052	vlc.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1060	powershell.exe
984	powershell.exe
1912	powershell.exe
2168	powershell.exe
268	powershell.exe
1448	powershell.exe
2396	powershell.exe
2216	powershell.exe
2720	powershell.exe
1744	conhost.exe
864	powershell.exe
304	powershell.exe
1228	conhost.exe
1780	conhost.exe
2420	powershell.exe
1632	Process not Found
2792	powershell.exe
3012	conhost.exe
2888	powershell.exe
1944	conhost.exe
1104	powershell.exe
2856	powershell.exe
1980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1052	vlc.exe
1624	OUTLOOK.EXE
2160	7zFM.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	2160	7zFM.exe
Token: 35	2160	7zFM.exe
Token: SeSecurityPrivilege	2160	7zFM.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1744	conhost.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeSecurityPrivilege	2160	7zFM.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1228	conhost.exe
Token: SeDebugPrivilege	1780	conhost.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1632	Process not Found
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3012	conhost.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1944	conhost.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1624	OUTLOOK.EXE
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
2160	7zFM.exe
2160	7zFM.exe
2160	7zFM.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe
1052	vlc.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE
1052	vlc.exe
1624	OUTLOOK.EXE
1624	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1624 wrote to memory of 1408	1624	OUTLOOK.EXE	31
PID 1408 wrote to memory of 1052	1408	rundll32.exe	32
PID 1408 wrote to memory of 1052	1408	rundll32.exe	32
PID 1408 wrote to memory of 1052	1408	rundll32.exe	32
PID 1408 wrote to memory of 1052	1408	rundll32.exe	32
PID 2160 wrote to memory of 368	2160	7zFM.exe	38
PID 2160 wrote to memory of 368	2160	7zFM.exe	38
PID 2160 wrote to memory of 368	2160	7zFM.exe	38
PID 2160 wrote to memory of 368	2160	7zFM.exe	38
PID 368 wrote to memory of 1060	368	Pensionisternes NA GOD.exe	39
PID 368 wrote to memory of 1060	368	Pensionisternes NA GOD.exe	39
PID 368 wrote to memory of 1060	368	Pensionisternes NA GOD.exe	39
PID 368 wrote to memory of 1060	368	Pensionisternes NA GOD.exe	39
PID 368 wrote to memory of 984	368	Pensionisternes NA GOD.exe	41
PID 368 wrote to memory of 984	368	Pensionisternes NA GOD.exe	41
PID 368 wrote to memory of 984	368	Pensionisternes NA GOD.exe	41
PID 368 wrote to memory of 984	368	Pensionisternes NA GOD.exe	41
PID 368 wrote to memory of 1912	368	Pensionisternes NA GOD.exe	43
PID 368 wrote to memory of 1912	368	Pensionisternes NA GOD.exe	43
PID 368 wrote to memory of 1912	368	Pensionisternes NA GOD.exe	43
PID 368 wrote to memory of 1912	368	Pensionisternes NA GOD.exe	43
PID 368 wrote to memory of 2168	368	Pensionisternes NA GOD.exe	45
PID 368 wrote to memory of 2168	368	Pensionisternes NA GOD.exe	45
PID 368 wrote to memory of 2168	368	Pensionisternes NA GOD.exe	45
PID 368 wrote to memory of 2168	368	Pensionisternes NA GOD.exe	45
PID 368 wrote to memory of 268	368	Pensionisternes NA GOD.exe	47
PID 368 wrote to memory of 268	368	Pensionisternes NA GOD.exe	47
PID 368 wrote to memory of 268	368	Pensionisternes NA GOD.exe	47
PID 368 wrote to memory of 268	368	Pensionisternes NA GOD.exe	47
PID 368 wrote to memory of 1448	368	Pensionisternes NA GOD.exe	49
PID 368 wrote to memory of 1448	368	Pensionisternes NA GOD.exe	49
PID 368 wrote to memory of 1448	368	Pensionisternes NA GOD.exe	49
PID 368 wrote to memory of 1448	368	Pensionisternes NA GOD.exe	49
PID 368 wrote to memory of 2396	368	Pensionisternes NA GOD.exe	51
PID 368 wrote to memory of 2396	368	Pensionisternes NA GOD.exe	51
PID 368 wrote to memory of 2396	368	Pensionisternes NA GOD.exe	51
PID 368 wrote to memory of 2396	368	Pensionisternes NA GOD.exe	51
PID 368 wrote to memory of 2216	368	Pensionisternes NA GOD.exe	53
PID 368 wrote to memory of 2216	368	Pensionisternes NA GOD.exe	53
PID 368 wrote to memory of 2216	368	Pensionisternes NA GOD.exe	53
PID 368 wrote to memory of 2216	368	Pensionisternes NA GOD.exe	53
PID 368 wrote to memory of 2720	368	Pensionisternes NA GOD.exe	55
PID 368 wrote to memory of 2720	368	Pensionisternes NA GOD.exe	55
PID 368 wrote to memory of 2720	368	Pensionisternes NA GOD.exe	55
PID 368 wrote to memory of 2720	368	Pensionisternes NA GOD.exe	55
PID 368 wrote to memory of 1744	368	Pensionisternes NA GOD.exe	101
PID 368 wrote to memory of 1744	368	Pensionisternes NA GOD.exe	101
PID 368 wrote to memory of 1744	368	Pensionisternes NA GOD.exe	101
PID 368 wrote to memory of 1744	368	Pensionisternes NA GOD.exe	101
PID 368 wrote to memory of 864	368	Pensionisternes NA GOD.exe	59
PID 368 wrote to memory of 864	368	Pensionisternes NA GOD.exe	59
PID 368 wrote to memory of 864	368	Pensionisternes NA GOD.exe	59
PID 368 wrote to memory of 864	368	Pensionisternes NA GOD.exe	59
PID 2160 wrote to memory of 2024	2160	7zFM.exe	61
PID 2160 wrote to memory of 2024	2160	7zFM.exe	61
PID 2160 wrote to memory of 2024	2160	7zFM.exe	61
PID 2160 wrote to memory of 2024	2160	7zFM.exe	61
PID 368 wrote to memory of 304	368	Pensionisternes NA GOD.exe	62

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\b542a76b-6268-4a42-4a31-08dbc9572082\5b1840db-7af9-d471-85e0-b44f6bac8668.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación.rar
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación.rar"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1052

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:532

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\AEAT - Aviso de Notificación.rar"
1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x53686D28 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x57696C3B -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6F772A36 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x72352E36 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x30292272 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3A3A412D -bxor 607}
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6561763A -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x46696E3A -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x41286F7F -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x72342273 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2069226F -bxor 607}
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x7838326F -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3030326F -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x20302E7F -bxor 607}
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x70203273 -bxor 607}
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2069226B -bxor 607}
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
    3⤵
    PID:668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x30783A6F -bxor 607}
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x30296B71 -bxor 607}
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x72332272 -bxor 607}
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3A3A5436 -bxor 607}
    3⤵
    PID:808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x7274773E -bxor 607}
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6C416E33 -bxor 607}
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6F632A36 -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x302C6B7F -bxor 607}
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x36313A6C -bxor 607}
    3⤵
    PID:668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x33323369 -bxor 607}
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3078316F -bxor 607}
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x30302E7F -bxor 607}
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x69203227 -bxor 607}
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x34302B2F -bxor 607}
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2E723372 -bxor 607}
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3A3A513A -bxor 607}
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x74466B33 -bxor 607}
    3⤵
    PID:668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x65506D36 -bxor 607}
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6E74672D -bxor 607}
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2869706C -bxor 607}
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
    3⤵
    PID:888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3734306B -bxor 607}
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x202C2236 -bxor 607}
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x20302E36 -bxor 607}
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
    3⤵
    PID:456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6B657031 -bxor 607}
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x656C316D -bxor 607}
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x3A3A503A -bxor 607}
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x61644436 -bxor 607}
    3⤵
    PID:668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6C652A36 -bxor 607}
    3⤵
    PID:608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x72332E7F -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x6920706E -bxor 607}
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C206B7F -bxor 607}
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x36313A6C -bxor 607}
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x33323369 -bxor 607}
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2C2A6B7F -bxor 607}
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x302C2236 -bxor 607}
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x20302B36 -bxor 607}
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x2E723072 -bxor 607}
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x7573672D -bxor 607}
    3⤵
    PID:892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x33323865 -bxor 607}
    3⤵
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\7zO0785B797\Pensionisternes NA GOD.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0785B797\Pensionisternes NA GOD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
    3⤵
    PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1092059041906022245955430714-773514495-114745262-15694892231796723790-1809321476"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1314732488194780835911097464791564703650-243717554-39823766810521089572124538738"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-619587678-826108802-1716745875-18853484834871439151028577558-926277402-1581720452"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\Desktop\Pensionisternes NA GOD.exe
"C:\Users\Admin\Desktop\Pensionisternes NA GOD.exe"
1⤵
PID:2224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:828
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:2736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Invoke-Command -ScriptBlock{0x -bxor 607}
  2⤵
  PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "27638313-988614339-984320887-1379980923-1393613341680897977449613390-2057885834"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1044191184-1557434496-208144173319026111919241910281807083369506319380-2067836779"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
05874dea7c724d97631bd37c4da7ad1c

SHA1
773616775dd5bece8282b8f03b9d5e30922f0e08

SHA256
3c590b3e6a9bea0dacb9167fc20aaa681b4dcb0acd6d878e51b57886729f5503

SHA512
5336f69a15169ae492fbc08977523836a3de21520c0cd8c11ac7f968ae415014d9ee39cf28dcda57f47d8f221cf40f597363d0b281864de2e3676703dd5a0fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
05874dea7c724d97631bd37c4da7ad1c

SHA1
773616775dd5bece8282b8f03b9d5e30922f0e08

SHA256
3c590b3e6a9bea0dacb9167fc20aaa681b4dcb0acd6d878e51b57886729f5503

SHA512
5336f69a15169ae492fbc08977523836a3de21520c0cd8c11ac7f968ae415014d9ee39cf28dcda57f47d8f221cf40f597363d0b281864de2e3676703dd5a0fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
05874dea7c724d97631bd37c4da7ad1c

SHA1
773616775dd5bece8282b8f03b9d5e30922f0e08

SHA256
3c590b3e6a9bea0dacb9167fc20aaa681b4dcb0acd6d878e51b57886729f5503

SHA512
5336f69a15169ae492fbc08977523836a3de21520c0cd8c11ac7f968ae415014d9ee39cf28dcda57f47d8f221cf40f597363d0b281864de2e3676703dd5a0fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación.rar

Filesize
621KB

MD5
4483048427c35606e0d9787ccc574409

SHA1
8767507c90ed1aebe309b973f1944b5df645cc68

SHA256
dc92ff9f3ad2cee17edb20cbd7a7b5ad7afa55c56d5e803d6940f2fcc70f9061

SHA512
2d5cb73b211c095164c45da2c12d6e432b11b07942b0fc8c77af088a6e0f8801599d9c766f0abd74dc1416f3f30551a64de1300f80933715b832c3ac227ad71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\BLPD77BB\AEAT - Aviso de Notificación.rar

Filesize
621KB

MD5
4483048427c35606e0d9787ccc574409

SHA1
8767507c90ed1aebe309b973f1944b5df645cc68

SHA256
dc92ff9f3ad2cee17edb20cbd7a7b5ad7afa55c56d5e803d6940f2fcc70f9061

SHA512
2d5cb73b211c095164c45da2c12d6e432b11b07942b0fc8c77af088a6e0f8801599d9c766f0abd74dc1416f3f30551a64de1300f80933715b832c3ac227ad71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\Anstrengelsers36\Taktflelsens\Twirlers\Suboblique\baldyret.pre

Filesize
179KB

MD5
5071e7f7f326fe5a9ee3efa04b1b74c6

SHA1
9111292e773468ca7a224e1eec725389f8a8141c

SHA256
31f856039bc343d977ed10433356fb84410464980503a2aee80520217dd6481d

SHA512
941c52ad08f6c3d127f614695ef317bc4ec47cfe32f182570ca71e8e0ff971567a95472a2da3411af0a5f1955c041e9426cc1d6418239242dca148b89a9a7312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\Anstrengelsers36\Taktflelsens\Twirlers\Suboblique\forlggere.chr

Filesize
52KB

MD5
9fd47ca237be7fbfaddd07f2390e1f44

SHA1
2193c42320f866ec097dfb88d6092fd46e6a64af

SHA256
c623f571851141b2328646c255f75ee703c215dd5d82726e6cde8eeae372318b

SHA512
3176be0537941cdabc94a634ed40effb8e20acc9e5f097ea254283fb805833e0d4939b1cd906cc09b86111ec87d101461bdd2d1d33d955e6f1f3adce979b7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\Anstrengelsers36\Taktflelsens\Twirlers\Suboblique\mohairens.txt

Filesize
576B

MD5
b746f2364b759fab9bb4ae01a06283f9

SHA1
b816f5714ba18d3475eac99d846e110947986d70

SHA256
6958d6c483f3fdf0e916f8481ee4a5280f1b2925e60621c6170ac51d7fab0f15

SHA512
80b13aa60d54e02e23ba4201ae3b99fd42dc1dd28603dce1cec9b0de0c6bf7542d6c5d29ab62b607b2d6283e3fd5543f16228c7152e75c7579049f3364e33357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\Cerberus.Hum215

Filesize
348KB

MD5
0c3d442880bc896c70bbe5410642996d

SHA1
0c00ba0f5f0a64933621e60b629ccc80bdf9e074

SHA256
8fd386e3fe8a01a6c54f9e32b217a60677a62387c13576e07b99ab3fb963a800

SHA512
2d8697cfe0fbdbbd261c05b16853c4f828aaef7e2728d1478eed27d975863f019c02fa8ae75b238d46642c0556eb85dd51d8a4a963738bf1971e37ce2c623936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\Disbosoms147.del

Filesize
53KB

MD5
2443073683ab307f308ab70bdf26d361

SHA1
f734764199d5ca5b8fff3c1719162cf556b96724

SHA256
9488d3a891a3a60cb98989f8ed2915c255130db8c7c502237fdfeda770b8b75f

SHA512
717b29e03659ba487e71a5f3941909961104249964afaedb82186adf725cafbbe00ed559bc8372f9e4e1e952dcbabdba961dda87b768c4d6064a11a372e60268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\trevets\Anastasijas\boson\anthropoidean.ind

Filesize
106KB

MD5
f7a769c5c27cbfd125cfb6d451d8e7c3

SHA1
2cc86f0b530356fd0111940647f6ab795094f56f

SHA256
7c240bcd04cc125764746722f4bb02a4f531df4030e05d270c48b679782d17e8

SHA512
6d8f3e5d561a396de5805fea42acb33fc43006fab9d14a13c1ef6cf83d1a146f6daf75a4d5db1e390a2eb15fa00a39ff8c738852ff404316838d129f673a92ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0785B797\Pensionisternes NA GOD.exe

Filesize
766KB

MD5
e5386ec1666afd49b7a21d15b32c923e

SHA1
b85b5e0c8a98d205cea61e7690fe6f8bcdf0d138

SHA256
00ca7e72a993d0d28c9e4fe737562bcddeff8717945f1636e60a229616b60897

SHA512
5953fd7b9d1392beafa3c177e2a8d5c84bad39aa200713191254b47c970afda152db24d1187839c27cae07a86dcae574f80426a327be5b8c8ad00804ec1278b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0785B797\Pensionisternes NA GOD.exe

Filesize
766KB

MD5
e5386ec1666afd49b7a21d15b32c923e

SHA1
b85b5e0c8a98d205cea61e7690fe6f8bcdf0d138

SHA256
00ca7e72a993d0d28c9e4fe737562bcddeff8717945f1636e60a229616b60897

SHA512
5953fd7b9d1392beafa3c177e2a8d5c84bad39aa200713191254b47c970afda152db24d1187839c27cae07a86dcae574f80426a327be5b8c8ad00804ec1278b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe

Filesize
766KB

MD5
e5386ec1666afd49b7a21d15b32c923e

SHA1
b85b5e0c8a98d205cea61e7690fe6f8bcdf0d138

SHA256
00ca7e72a993d0d28c9e4fe737562bcddeff8717945f1636e60a229616b60897

SHA512
5953fd7b9d1392beafa3c177e2a8d5c84bad39aa200713191254b47c970afda152db24d1187839c27cae07a86dcae574f80426a327be5b8c8ad00804ec1278b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe

Filesize
766KB

MD5
e5386ec1666afd49b7a21d15b32c923e

SHA1
b85b5e0c8a98d205cea61e7690fe6f8bcdf0d138

SHA256
00ca7e72a993d0d28c9e4fe737562bcddeff8717945f1636e60a229616b60897

SHA512
5953fd7b9d1392beafa3c177e2a8d5c84bad39aa200713191254b47c970afda152db24d1187839c27cae07a86dcae574f80426a327be5b8c8ad00804ec1278b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO078CFA57\Pensionisternes NA GOD.exe

Filesize
766KB

MD5
e5386ec1666afd49b7a21d15b32c923e

SHA1
b85b5e0c8a98d205cea61e7690fe6f8bcdf0d138

SHA256
00ca7e72a993d0d28c9e4fe737562bcddeff8717945f1636e60a229616b60897

SHA512
5953fd7b9d1392beafa3c177e2a8d5c84bad39aa200713191254b47c970afda152db24d1187839c27cae07a86dcae574f80426a327be5b8c8ad00804ec1278b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BAB264F8-C163-4B34-BB96-5AAF81CC2ED7}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2FGYSP5L8H3X5KBHTCLK.temp

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e55ca24ab3c17ca91be9975f80a8e22f

SHA1
d70b5092653027a59ba0df7d519d2822e9741e5b

SHA256
c9a79b876358942675ea4c1ee8f38645a1d2693f0db6a6f2d351075dc055c76d

SHA512
6cb4069ae5f02e2b2c888797a61ef54571aa0f69b54c8c3594c78afaa4760eb1821e1b02a678a3699162f5e1c8faa329ce9c4ac72dbaec13fb1f789776badd44

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
184B

MD5
6f3d05c298bbd936b41626cc133ac057

SHA1
7587be798de93fd513247bc4b896a0cd4c5a5049

SHA256
471582b399b2c6573ac901bf9ecc252eb457b789d06c74129478317e33bf7b5d

SHA512
b322d4513c5fcc0f0aeed18f412c2b83fa50fb41077ea7124ed18b9c54aa5632c652ac0b83ba923535f5a68f20b7294e1206bfdaad5cd9302611dbd80a11f5f3

Download Submit
C:\Users\Admin\Desktop\AEAT - Aviso de Notificación.rar

Filesize
621KB

MD5
4483048427c35606e0d9787ccc574409

SHA1
8767507c90ed1aebe309b973f1944b5df645cc68

SHA256
dc92ff9f3ad2cee17edb20cbd7a7b5ad7afa55c56d5e803d6940f2fcc70f9061

SHA512
2d5cb73b211c095164c45da2c12d6e432b11b07942b0fc8c77af088a6e0f8801599d9c766f0abd74dc1416f3f30551a64de1300f80933715b832c3ac227ad71d

Download Submit
C:\Users\Admin\Desktop\AEAT - Aviso de Notificación.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj58FA.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9ED0.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9ED0.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9ED0.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9ED0.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9ED0.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
memory/268-608-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/268-609-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/268-610-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/268-611-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/268-607-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/304-818-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/304-811-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/304-817-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/864-765-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/864-767-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/864-768-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/864-769-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/864-775-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/864-766-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/984-567-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/984-563-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/984-562-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/984-564-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/984-565-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/984-566-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1052-266-0x000007FEF3610000-0x000007FEF363C000-memory.dmp

Filesize
176KB

Download
memory/1052-253-0x000007FEF39D0000-0x000007FEF3A3F000-memory.dmp

Filesize
444KB

Download
memory/1052-225-0x000000013F900000-0x000000013F9F8000-memory.dmp

Filesize
992KB

Download
memory/1052-226-0x000007FEF6CF0000-0x000007FEF6D24000-memory.dmp

Filesize
208KB

Download
memory/1052-227-0x000007FEF5AC0000-0x000007FEF5D74000-memory.dmp

Filesize
2.7MB

Download
memory/1052-236-0x000007FEF6C90000-0x000007FEF6CA7000-memory.dmp

Filesize
92KB

Download
memory/1052-297-0x000007FEF2900000-0x000007FEF2911000-memory.dmp

Filesize
68KB

Download
memory/1052-296-0x000007FEF2920000-0x000007FEF2932000-memory.dmp

Filesize
72KB

Download
memory/1052-295-0x000007FEF2940000-0x000007FEF2969000-memory.dmp

Filesize
164KB

Download
memory/1052-294-0x000007FEF2970000-0x000007FEF2986000-memory.dmp

Filesize
88KB

Download
memory/1052-235-0x000007FEF6CB0000-0x000007FEF6CC1000-memory.dmp

Filesize
68KB

Download
memory/1052-234-0x000007FEF6CD0000-0x000007FEF6CE7000-memory.dmp

Filesize
92KB

Download
memory/1052-233-0x000007FEF7260000-0x000007FEF7278000-memory.dmp

Filesize
96KB

Download
memory/1052-238-0x000007FEF6720000-0x000007FEF673D000-memory.dmp

Filesize
116KB

Download
memory/1052-237-0x000007FEF6740000-0x000007FEF6751000-memory.dmp

Filesize
68KB

Download
memory/1052-239-0x000007FEF58C0000-0x000007FEF5AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1052-293-0x000007FEF2990000-0x000007FEF29A8000-memory.dmp

Filesize
96KB

Download
memory/1052-292-0x000007FEF29B0000-0x000007FEF29C2000-memory.dmp

Filesize
72KB

Download
memory/1052-291-0x000007FEF29D0000-0x000007FEF29E1000-memory.dmp

Filesize
68KB

Download
memory/1052-240-0x000007FEF6700000-0x000007FEF6711000-memory.dmp

Filesize
68KB

Download
memory/1052-241-0x000007FEF61C0000-0x000007FEF61FF000-memory.dmp

Filesize
252KB

Download
memory/1052-242-0x000007FEF66D0000-0x000007FEF66F1000-memory.dmp

Filesize
132KB

Download
memory/1052-243-0x000007FEF61A0000-0x000007FEF61B8000-memory.dmp

Filesize
96KB

Download
memory/1052-244-0x000007FEF4810000-0x000007FEF58BB000-memory.dmp

Filesize
16.7MB

Download
memory/1052-290-0x000007FEF29F0000-0x000007FEF2A01000-memory.dmp

Filesize
68KB

Download
memory/1052-289-0x000007FEF2A10000-0x000007FEF2A21000-memory.dmp

Filesize
68KB

Download
memory/1052-288-0x000007FEF2A30000-0x000007FEF2B32000-memory.dmp

Filesize
1.0MB

Download
memory/1052-287-0x000007FEF2B40000-0x000007FEF2B51000-memory.dmp

Filesize
68KB

Download
memory/1052-286-0x000007FEF2B60000-0x000007FEF2BFF000-memory.dmp

Filesize
636KB

Download
memory/1052-285-0x000007FEF2C00000-0x000007FEF2C13000-memory.dmp

Filesize
76KB

Download
memory/1052-282-0x000007FEF2C60000-0x000007FEF2CC1000-memory.dmp

Filesize
388KB

Download
memory/1052-283-0x000007FEF2C40000-0x000007FEF2C51000-memory.dmp

Filesize
68KB

Download
memory/1052-284-0x000007FEF2C20000-0x000007FEF2C32000-memory.dmp

Filesize
72KB

Download
memory/1052-245-0x000007FEF6160000-0x000007FEF6171000-memory.dmp

Filesize
68KB

Download
memory/1052-246-0x000007FEF6140000-0x000007FEF6151000-memory.dmp

Filesize
68KB

Download
memory/1052-247-0x000007FEF6120000-0x000007FEF6131000-memory.dmp

Filesize
68KB

Download
memory/1052-248-0x000007FEF6100000-0x000007FEF611B000-memory.dmp

Filesize
108KB

Download
memory/1052-249-0x000007FEF4050000-0x000007FEF4061000-memory.dmp

Filesize
68KB

Download
memory/1052-250-0x000007FEF4030000-0x000007FEF4048000-memory.dmp

Filesize
96KB

Download
memory/1052-281-0x000007FEF2CD0000-0x000007FEF2CE1000-memory.dmp

Filesize
68KB

Download
memory/1052-280-0x000007FEF2CF0000-0x000007FEF2D15000-memory.dmp

Filesize
148KB

Download
memory/1052-279-0x000007FEF2D20000-0x000007FEF2D55000-memory.dmp

Filesize
212KB

Download
memory/1052-251-0x000007FEF4000000-0x000007FEF4030000-memory.dmp

Filesize
192KB

Download
memory/1052-278-0x000007FEF2D60000-0x000007FEF2E72000-memory.dmp

Filesize
1.1MB

Download
memory/1052-277-0x000007FEF2E80000-0x000007FEF30B1000-memory.dmp

Filesize
2.2MB

Download
memory/1052-276-0x000007FEF30C0000-0x000007FEF30D2000-memory.dmp

Filesize
72KB

Download
memory/1052-252-0x000007FEF3F90000-0x000007FEF3FF7000-memory.dmp

Filesize
412KB

Download
memory/1052-254-0x000007FEF3940000-0x000007FEF3951000-memory.dmp

Filesize
68KB

Download
memory/1052-255-0x000007FEF38E0000-0x000007FEF3936000-memory.dmp

Filesize
344KB

Download
memory/1052-256-0x000007FEF38B0000-0x000007FEF38D8000-memory.dmp

Filesize
160KB

Download
memory/1052-275-0x000007FEF30E0000-0x000007FEF3177000-memory.dmp

Filesize
604KB

Download
memory/1052-274-0x000007FEF3180000-0x000007FEF3191000-memory.dmp

Filesize
68KB

Download
memory/1052-273-0x000007FEF31A0000-0x000007FEF31FC000-memory.dmp

Filesize
368KB

Download
memory/1052-257-0x000007FEF3880000-0x000007FEF38A4000-memory.dmp

Filesize
144KB

Download
memory/1052-258-0x000007FEF3860000-0x000007FEF3877000-memory.dmp

Filesize
92KB

Download
memory/1052-259-0x000007FEF3830000-0x000007FEF3853000-memory.dmp

Filesize
140KB

Download
memory/1052-260-0x000007FEF3810000-0x000007FEF3821000-memory.dmp

Filesize
68KB

Download
memory/1052-261-0x000007FEF37F0000-0x000007FEF3802000-memory.dmp

Filesize
72KB

Download
memory/1052-262-0x000007FEF37C0000-0x000007FEF37E1000-memory.dmp

Filesize
132KB

Download
memory/1052-267-0x000007FEF3450000-0x000007FEF3602000-memory.dmp

Filesize
1.7MB

Download
memory/1052-263-0x000007FEF37A0000-0x000007FEF37B3000-memory.dmp

Filesize
76KB

Download
memory/1052-264-0x000007FEF3780000-0x000007FEF3792000-memory.dmp

Filesize
72KB

Download
memory/1052-265-0x000007FEF3640000-0x000007FEF377B000-memory.dmp

Filesize
1.2MB

Download
memory/1060-551-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/1060-552-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1060-479-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1060-480-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1060-481-0x0000000002840000-0x0000000002880000-memory.dmp

Filesize
256KB

Download
memory/1228-820-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1228-819-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-623-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-624-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/1448-625-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/1448-641-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-622-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/1448-621-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1624-1-0x00000000733ED000-0x00000000733F8000-memory.dmp

Filesize
44KB

Download
memory/1624-124-0x00000000733ED000-0x00000000733F8000-memory.dmp

Filesize
44KB

Download
memory/1624-164-0x0000000068891000-0x0000000068892000-memory.dmp

Filesize
4KB

Download
memory/1624-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1744-750-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-753-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1744-752-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1744-754-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-755-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-751-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1912-581-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download
memory/1912-582-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-577-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-578-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download
memory/1912-579-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-580-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download
memory/2168-595-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-596-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2168-593-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-597-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-594-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2216-723-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2216-721-0x00000000027E0000-0x0000000002820000-memory.dmp

Filesize
256KB

Download
memory/2216-722-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2216-724-0x0000000063F20000-0x00000000644CB000-memory.dmp

Filesize
5.7MB

Download
memory/2396-683-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-735-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-736-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2720-737-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2720-738-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2720-739-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-740-0x00000000644D0000-0x0000000064A7B000-memory.dmp

Filesize
5.7MB

Download