Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2024 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    7.3MB

  • MD5

    6af4b8b8c8399fca6798e3f2d7df9af5

  • SHA1

    7cc85c826668d6f09b43ea9358ecdc57fecf398b

  • SHA256

    84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799

  • SHA512

    05089cf4cedc6f87a08fc2d193e90313e5e8422d3578321fad3af9f4bb97c4647c12b6f1d80bfcdb8c233a2171f895571dfb9047a52c5878f0a29ea02426439b

  • SSDEEP

    196608:pv8GpkVa20mO8hnsSSU/sYE7m/TV38zQF5srpXh+LyDU:zythO+1SNMGcF5svH

Score
10/10
dcratdjvugluptebasmokeloaderstealcpub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratrootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .cdcc

  • offline_id

    LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 7 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 10 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 52 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4100
      • C:\Users\Admin\AppData\Local\Temp\nss4E12.tmp
        C:\Users\Admin\AppData\Local\Temp\nss4E12.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nss4E12.tmp" & del "C:\ProgramData\*.dll"" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 5
            5⤵
            • Delays execution with timeout.exe
            PID:1056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2108
          4⤵
          • Program crash
          PID:4552
    • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
      2⤵
        PID:1636
      • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 372
          3⤵
          • Program crash
          PID:1680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 384
          3⤵
          • Program crash
          PID:4412
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 236
            4⤵
            • Program crash
            PID:4352
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 360
            4⤵
            • Program crash
            PID:4308
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 688
            4⤵
            • Program crash
            PID:3272
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 688
            4⤵
            • Program crash
            PID:3748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 716
            4⤵
            • Program crash
            PID:3344
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 752
            4⤵
            • Program crash
            PID:3684
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 688
            4⤵
            • Program crash
            PID:4904
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 652
            4⤵
            • Program crash
            PID:3564
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 344
            4⤵
            • Program crash
            PID:3476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 392
          3⤵
          • Program crash
          PID:1236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 680
          3⤵
          • Program crash
          PID:2852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 692
          3⤵
          • Program crash
          PID:5020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 716
          3⤵
          • Program crash
          PID:2940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 748
          3⤵
          • Program crash
          PID:4700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 756
          3⤵
          • Program crash
          PID:4084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 756
          3⤵
          • Program crash
          PID:3900
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 756
          3⤵
          • Program crash
          PID:4416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 796
          3⤵
          • Program crash
          PID:3344
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 884
          3⤵
          • Program crash
          PID:3684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 768
          3⤵
          • Program crash
          PID:4856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 800
          3⤵
          • Program crash
          PID:4680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 816
          3⤵
          • Program crash
          PID:2960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 720
          3⤵
          • Program crash
          PID:4136
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 780
          3⤵
          • Program crash
          PID:2872
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 800
          3⤵
          • Program crash
          PID:4612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 848
          3⤵
          • Program crash
          PID:1940
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4244
        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              PID:4284
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4084
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 372
              5⤵
              • Program crash
              PID:4092
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 388
              5⤵
              • Program crash
              PID:4668
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 728
              5⤵
              • Program crash
              PID:1020
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 728
              5⤵
              • Program crash
              PID:1584
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 776
              5⤵
              • Program crash
              PID:4532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 800
              5⤵
              • Program crash
              PID:3300
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:4124
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 728
              5⤵
              • Program crash
              PID:1112
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 620
              5⤵
              • Program crash
              PID:2464
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 400
              5⤵
              • Program crash
              PID:2288
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 888
              5⤵
              • Program crash
              PID:1936
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:1208
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 844
              5⤵
              • Program crash
              PID:4920
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              5⤵
                PID:4692
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • Creates scheduled task(s)
                PID:1280
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                  PID:532
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 920
                  5⤵
                  • Program crash
                  PID:5040
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 956
                  5⤵
                  • Program crash
                  PID:3476
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  5⤵
                  • Executes dropped EXE
                  PID:1292
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 980
                  5⤵
                  • Program crash
                  PID:1460
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 980
                  5⤵
                  • Program crash
                  PID:3880
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 772
                  5⤵
                  • Program crash
                  PID:2552
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:2476
                • C:\Windows\windefender.exe
                  "C:\Windows\windefender.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:2468
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    6⤵
                      PID:1396
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1144
                    5⤵
                    • Program crash
                    PID:2248
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1160
                    5⤵
                    • Program crash
                    PID:816
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:4612
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:2572
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:4028
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:4360
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 732
                    5⤵
                    • Program crash
                    PID:4056
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:2940
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1156
                    5⤵
                    • Program crash
                    PID:996
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1200
                    5⤵
                    • Program crash
                    PID:4616
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1204
                    5⤵
                    • Program crash
                    PID:3576
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                    • Executes dropped EXE
                    PID:3680
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    5⤵
                      PID:4464
              • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
                2⤵
                • Executes dropped EXE
                PID:1788
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 828 -ip 828
              1⤵
                PID:3760
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 828 -ip 828
                1⤵
                  PID:3904
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 828 -ip 828
                  1⤵
                    PID:4832
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 828 -ip 828
                    1⤵
                      PID:3624
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 828 -ip 828
                      1⤵
                        PID:3604
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 828 -ip 828
                        1⤵
                          PID:2916
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 828 -ip 828
                          1⤵
                            PID:1068
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 828 -ip 828
                            1⤵
                              PID:2336
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 828 -ip 828
                              1⤵
                                PID:384
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 828 -ip 828
                                1⤵
                                  PID:916
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 828 -ip 828
                                  1⤵
                                    PID:4476
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                    1⤵
                                    • Creates scheduled task(s)
                                    PID:3184
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 828 -ip 828
                                    1⤵
                                      PID:4776
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 828 -ip 828
                                      1⤵
                                        PID:832
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 828 -ip 828
                                        1⤵
                                          PID:2880
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 1251
                                          1⤵
                                            PID:1052
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 828 -ip 828
                                            1⤵
                                              PID:1468
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 828 -ip 828
                                              1⤵
                                                PID:2508
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 828 -ip 828
                                                1⤵
                                                  PID:3412
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 828 -ip 828
                                                  1⤵
                                                    PID:2400
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 828 -ip 828
                                                    1⤵
                                                      PID:4144
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4412 -ip 4412
                                                      1⤵
                                                        PID:1236
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4412 -ip 4412
                                                        1⤵
                                                          PID:2336
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4412 -ip 4412
                                                          1⤵
                                                            PID:4672
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4412 -ip 4412
                                                            1⤵
                                                              PID:3756
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
                                                              1⤵
                                                                PID:4920
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4412 -ip 4412
                                                                1⤵
                                                                  PID:4148
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4412 -ip 4412
                                                                  1⤵
                                                                    PID:4172
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
                                                                    1⤵
                                                                      PID:4476
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4412 -ip 4412
                                                                      1⤵
                                                                        PID:2968
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2692 -ip 2692
                                                                        1⤵
                                                                          PID:4968
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2692 -ip 2692
                                                                          1⤵
                                                                            PID:4972
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2692 -ip 2692
                                                                            1⤵
                                                                              PID:2484
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2692 -ip 2692
                                                                              1⤵
                                                                                PID:4264
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2692 -ip 2692
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                • Checks SCSI registry key(s)
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious behavior: MapViewOfSection
                                                                                PID:1636
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2692 -ip 2692
                                                                                1⤵
                                                                                  PID:4908
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2692 -ip 2692
                                                                                  1⤵
                                                                                    PID:3780
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2692 -ip 2692
                                                                                    1⤵
                                                                                      PID:1764
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2692 -ip 2692
                                                                                      1⤵
                                                                                        PID:3484
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2692 -ip 2692
                                                                                        1⤵
                                                                                          PID:4120
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2692 -ip 2692
                                                                                          1⤵
                                                                                            PID:4132
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4624 -ip 4624
                                                                                            1⤵
                                                                                              PID:4532
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2692 -ip 2692
                                                                                              1⤵
                                                                                                PID:4036
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2692 -ip 2692
                                                                                                1⤵
                                                                                                  PID:4004
                                                                                                • C:\Users\Admin\AppData\Local\Temp\AA98.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\AA98.exe
                                                                                                  1⤵
                                                                                                    PID:832
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2692 -ip 2692
                                                                                                    1⤵
                                                                                                      PID:4048
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2692 -ip 2692
                                                                                                      1⤵
                                                                                                        PID:3820
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2692 -ip 2692
                                                                                                        1⤵
                                                                                                          PID:2616
                                                                                                        • C:\Windows\windefender.exe
                                                                                                          C:\Windows\windefender.exe
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:3184
                                                                                                        • C:\Windows\SysWOW64\sc.exe
                                                                                                          sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                                                                          1⤵
                                                                                                          • Launches sc.exe
                                                                                                          PID:3684
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                          1⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          PID:1872
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\B96E.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                            2⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            PID:372
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\B96E.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                              3⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:4500
                                                                                                          • C:\Windows\SysWOW64\icacls.exe
                                                                                                            icacls "C:\Users\Admin\AppData\Local\f17be81f-ff99-4bf8-8b44-2e7f86ee9d88" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                            2⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:4284
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                          1⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          PID:2836
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4500 -ip 4500
                                                                                                          1⤵
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:532
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 568
                                                                                                          1⤵
                                                                                                          • Program crash
                                                                                                          PID:4020
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2692 -ip 2692
                                                                                                          1⤵
                                                                                                            PID:4996
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2692 -ip 2692
                                                                                                            1⤵
                                                                                                              PID:980
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\5A42.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\5A42.exe
                                                                                                              1⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              PID:384
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                2⤵
                                                                                                                • Checks computer location settings
                                                                                                                PID:3008
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\fi.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\fi.exe"
                                                                                                                  3⤵
                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                  • Checks BIOS information in registry
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Checks whether UAC is enabled
                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                  PID:396
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\6223.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\6223.exe
                                                                                                              1⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              PID:4520
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                2⤵
                                                                                                                  PID:4144
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                  2⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                  PID:832
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                  2⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Checks processor information in registry
                                                                                                                  PID:3124
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                  2⤵
                                                                                                                    PID:3052
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\F83A.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\F83A.exe
                                                                                                                  1⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  PID:2080
                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                                                                                                                    2⤵
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:3176
                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 45e9jcJ8d9XdYwCoRBBhPqHCn4vWPviT7ADA9Zpw9cEXFJT73ivgnZDE474VmiH3M6cJsaR9bWbXp5QfszYCHHtG5B3VzDX.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
                                                                                                                      3⤵
                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                      PID:832
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2692 -ip 2692
                                                                                                                  1⤵
                                                                                                                    PID:4176
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2692 -ip 2692
                                                                                                                    1⤵
                                                                                                                      PID:1680
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2692 -ip 2692
                                                                                                                      1⤵
                                                                                                                        PID:3248
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2692 -ip 2692
                                                                                                                        1⤵
                                                                                                                          PID:696
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\6889.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\6889.exe
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:1456
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\6E56.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\6E56.exe
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:1604
                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                          explorer.exe
                                                                                                                          1⤵
                                                                                                                          • Modifies Installed Components in the registry
                                                                                                                          • Modifies registry class
                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                          PID:1428
                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                          1⤵
                                                                                                                            PID:3552
                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                            explorer.exe
                                                                                                                            1⤵
                                                                                                                              PID:2024
                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                              1⤵
                                                                                                                                PID:4736
                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                1⤵
                                                                                                                                  PID:4740
                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                  explorer.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:2200

                                                                                                                                  Network

                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                  Reconnaissance

                                                                                                                                  Resource Development

                                                                                                                                  Initial Access

                                                                                                                                  Execution

                                                                                                                                  Scheduled Task/Job

                                                                                                                                  1
                                                                                                                                  T1053

                                                                                                                                  Persistence

                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                  2
                                                                                                                                  T1547

                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                  2
                                                                                                                                  T1547.001

                                                                                                                                  Create or Modify System Process

                                                                                                                                  1
                                                                                                                                  T1543

                                                                                                                                  Windows Service

                                                                                                                                  1
                                                                                                                                  T1543.003

                                                                                                                                  Scheduled Task/Job

                                                                                                                                  1
                                                                                                                                  T1053

                                                                                                                                  Privilege Escalation

                                                                                                                                  Boot or Logon Autostart Execution

                                                                                                                                  2
                                                                                                                                  T1547

                                                                                                                                  Registry Run Keys / Startup Folder

                                                                                                                                  2
                                                                                                                                  T1547.001

                                                                                                                                  Create or Modify System Process

                                                                                                                                  1
                                                                                                                                  T1543

                                                                                                                                  Windows Service

                                                                                                                                  1
                                                                                                                                  T1543.003

                                                                                                                                  Scheduled Task/Job

                                                                                                                                  1
                                                                                                                                  T1053

                                                                                                                                  Defense Evasion

                                                                                                                                  File and Directory Permissions Modification

                                                                                                                                  1
                                                                                                                                  T1222

                                                                                                                                  Impair Defenses

                                                                                                                                  1
                                                                                                                                  T1562

                                                                                                                                  Disable or Modify System Firewall

                                                                                                                                  1
                                                                                                                                  T1562.004

                                                                                                                                  Modify Registry

                                                                                                                                  2
                                                                                                                                  T1112

                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                  1
                                                                                                                                  T1497

                                                                                                                                  Credential Access

                                                                                                                                  Unsecured Credentials

                                                                                                                                  3
                                                                                                                                  T1552

                                                                                                                                  Credentials In Files

                                                                                                                                  3
                                                                                                                                  T1552.001

                                                                                                                                  Discovery

                                                                                                                                  Peripheral Device Discovery

                                                                                                                                  1
                                                                                                                                  T1120

                                                                                                                                  Query Registry

                                                                                                                                  7
                                                                                                                                  T1012

                                                                                                                                  System Information Discovery

                                                                                                                                  7
                                                                                                                                  T1082

                                                                                                                                  Virtualization/Sandbox Evasion

                                                                                                                                  1
                                                                                                                                  T1497

                                                                                                                                  Lateral Movement

                                                                                                                                  Collection

                                                                                                                                  Data from Local System

                                                                                                                                  3
                                                                                                                                  T1005

                                                                                                                                  Command and Control

                                                                                                                                  Web Service

                                                                                                                                  1
                                                                                                                                  T1102

                                                                                                                                  Exfiltration

                                                                                                                                  Impact

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\ProgramData\Are.docx
                                                                                                                                    Filesize

                                                                                                                                    11KB

                                                                                                                                    MD5

                                                                                                                                    a33e5b189842c5867f46566bdbf7a095

                                                                                                                                    SHA1

                                                                                                                                    e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                                                                    SHA256

                                                                                                                                    5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                                                                    SHA512

                                                                                                                                    f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\BFIJEHCB
                                                                                                                                    Filesize

                                                                                                                                    92KB

                                                                                                                                    MD5

                                                                                                                                    d63e3a8d4109b7212d419e17141dd862

                                                                                                                                    SHA1

                                                                                                                                    c9637da0763277477e60128ae2cd26fb314fa80a

                                                                                                                                    SHA256

                                                                                                                                    0cdd05fd9d9515c99e713a0cdf201fae20cd5db884c08a292ce16471725c521f

                                                                                                                                    SHA512

                                                                                                                                    dfee6ccabfe03415bea0d817ac0c393e98b54a0dfff102f0eee21c8e85d903e11a073aa97b7a3e8b95d88d5f86afd4c9782e7618e3119727da1e01d4895315e2

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\DBKEGCAE
                                                                                                                                    Filesize

                                                                                                                                    116KB

                                                                                                                                    MD5

                                                                                                                                    f70aa3fa04f0536280f872ad17973c3d

                                                                                                                                    SHA1

                                                                                                                                    50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                                    SHA256

                                                                                                                                    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                                    SHA512

                                                                                                                                    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\freebl3.dll
                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    MD5

                                                                                                                                    01c575f5edb4842230da98c251ac705c

                                                                                                                                    SHA1

                                                                                                                                    958c9240cb9a6959b54f43f1ce86cb4c49c3e11c

                                                                                                                                    SHA256

                                                                                                                                    86c5e1a47a79064bc4442277060254fe59f36d8c10b5db9b0342a9e303aac16c

                                                                                                                                    SHA512

                                                                                                                                    bd682bc613c9e66a539f4794dde8873c7c4289bad3e6d6c7eceff5b81f7676ee62a79db5919259c20d3fa0a96642596487770e62741e914cf0431ff3b0b1e2e8

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\mozglue.dll
                                                                                                                                    Filesize

                                                                                                                                    266KB

                                                                                                                                    MD5

                                                                                                                                    dbc7c0097ba33c5182a776a3bba90cae

                                                                                                                                    SHA1

                                                                                                                                    a52fae1f0043b8b806ca696958114ae98ef1482c

                                                                                                                                    SHA256

                                                                                                                                    4f10c668f7f576586fa68f2998150dda4a8147715d0fdf63fde27003deb942c2

                                                                                                                                    SHA512

                                                                                                                                    86e4ba97198797fe6003ff3998529726e4904c8cac5f79db74732467929dc7f98dc5916f21d1cf5feed1d71c16681b72c19c0ced321f379cc22da0b56392b177

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\mozglue.dll
                                                                                                                                    Filesize

                                                                                                                                    161KB

                                                                                                                                    MD5

                                                                                                                                    3c43d167e5f4350f9709accc85d65d77

                                                                                                                                    SHA1

                                                                                                                                    9d53da7d052591ea25f9ff5dce09303d9dc97a63

                                                                                                                                    SHA256

                                                                                                                                    a086fccfa8835c1459c58b724b926f1d16c06d3923db43648a4fcc0e2ac4f916

                                                                                                                                    SHA512

                                                                                                                                    39cc4adfb57a12511ab8501163b695014d5a6b09d6bcbfd49d9b2038fb907107666558a667e2d86dc34794f403db35a9e02a6e368a96e499e1e6658b8696561a

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\mozglue.dll
                                                                                                                                    Filesize

                                                                                                                                    129KB

                                                                                                                                    MD5

                                                                                                                                    dbf96b9893e02ee207b3397d3e267d8f

                                                                                                                                    SHA1

                                                                                                                                    928b3af5d22fbb7cb6759f5ae5a45a3c15ae475e

                                                                                                                                    SHA256

                                                                                                                                    cd717617bd284e044cf9e54226b8acea8f5f8564da07cf395d5d6604ffac8ac3

                                                                                                                                    SHA512

                                                                                                                                    0affd786c5d1a94c1118ce2e59278d64f613c8f20f4b8d9aa9a423cbdafb42c74755e8b7e58df9dce23b63c6e8bcff626356f0bb17172012fbc35fc80745d813

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\msvcp140.dll
                                                                                                                                    Filesize

                                                                                                                                    80KB

                                                                                                                                    MD5

                                                                                                                                    1f7305c508262812f918af61dc8cf7de

                                                                                                                                    SHA1

                                                                                                                                    a185aab6d5b379f0c708819b30bc098d4688e490

                                                                                                                                    SHA256

                                                                                                                                    e1085bb0d633c7bb141e1fd7a96132101d4f2de56d8078c2985fc44230755100

                                                                                                                                    SHA512

                                                                                                                                    3d50f309576cc671959b7897dc45515b947f8581a0297a90cf1ef4d20c2dc5bfb844d212320540d781e72d7b7fa0a22879ad49381e92702ed9904a17967d9d11

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\nss3.dll
                                                                                                                                    Filesize

                                                                                                                                    236KB

                                                                                                                                    MD5

                                                                                                                                    5c406582ad9111c5cb51858f87c36eea

                                                                                                                                    SHA1

                                                                                                                                    8d70434bb0a3f7f3d778604747a9b7d059d0cecb

                                                                                                                                    SHA256

                                                                                                                                    3a6c1f922a41f9515f9c305d43bddfef0e689b0eb2517341ef92232de18f1094

                                                                                                                                    SHA512

                                                                                                                                    098b21346948acefe931fbc3cac8fce473bf42ec709cf9ee2d5f680575e723d0dcdecf0a73632c8315356a07ea5c59bbcd152a743ff92257a710d4a788bce7ff

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\nss3.dll
                                                                                                                                    Filesize

                                                                                                                                    343KB

                                                                                                                                    MD5

                                                                                                                                    cc8d0053557106653bcb49194a538f05

                                                                                                                                    SHA1

                                                                                                                                    81802e6cf966a7eb7f2482dd7d32ec0d02fd4945

                                                                                                                                    SHA256

                                                                                                                                    09924994d6264345d29a3716c95969291604c498d4248d68345314f322a4faa9

                                                                                                                                    SHA512

                                                                                                                                    f5034d2d874216509b5473bc80bd242b4272b18383d5d87bd53db2d022f02670a103efc75d0f7782f14b9ee34fc5ed855bd07cc2be90ea145208328be2d544d0

                                                                                                                                    Download Submit

                                                                                                                                  • C:\ProgramData\nss3.dll
                                                                                                                                    Filesize

                                                                                                                                    131KB

                                                                                                                                    MD5

                                                                                                                                    49fbd27633a8e8dfd5659a6f6eaadc74

                                                                                                                                    SHA1

                                                                                                                                    5dcbb7370cdcb6e0e71bc6aaba99cdd6d98d85bc

                                                                                                                                    SHA256

                                                                                                                                    e007e390842714c84d383d71de3db67bed1e09d028e4c9ed52ce81de4f81936f

                                                                                                                                    SHA512

                                                                                                                                    3902907d6764b9012a7d062dcc6d1c2c916999e541fe648f77a891aa68970c73e133405417b11c0414446ae5cb2a34e44a4c368ba363cdc0ee45d183755b4558

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                                                                                                                    Filesize

                                                                                                                                    25KB

                                                                                                                                    MD5

                                                                                                                                    bc8fef1d87730a6a4028c94773e3cb8e

                                                                                                                                    SHA1

                                                                                                                                    abeca2c036e100df90bdddaf37bae4bba6d71438

                                                                                                                                    SHA256

                                                                                                                                    36577ddb346a0712e2583e7496e9d8b6162ca49c8d5b754d6f33ece2dea14515

                                                                                                                                    SHA512

                                                                                                                                    2f8e3c5b623558202c11898a136cceeb4c2677972d5ebe0473b6a7c0cce9096b22bfbb364abd0fc295cdafc9cac11ec8e426bd11035061c398c1e8683412dbc7

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                                                                                                                    Filesize

                                                                                                                                    351KB

                                                                                                                                    MD5

                                                                                                                                    4e7ff3e6cd0029244000e817e04a1a17

                                                                                                                                    SHA1

                                                                                                                                    f0f913645dfc52102dab2dae150c0151d0e96858

                                                                                                                                    SHA256

                                                                                                                                    cbd110eb4ff873ee55f183bafe998e3f850d532487cdcefbd87540ffdd823076

                                                                                                                                    SHA512

                                                                                                                                    86e4cbb9e5430d465fb7ebb32f5705ecf511f568c290659ff6b329f1f56c156e1be2098ab760bbb75f3340d18068d7aaa14f7a068fc8acf5c2175cc4a4e18b07

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                                                                                                                    Filesize

                                                                                                                                    358KB

                                                                                                                                    MD5

                                                                                                                                    b47325691ffc08f18368d288c92c5055

                                                                                                                                    SHA1

                                                                                                                                    7f95176a428b183f996d8689151bbd0720d157a1

                                                                                                                                    SHA256

                                                                                                                                    1c5e9630bcd3467e7c21072066eeb04d53dafbe34050cd2404bee4b7c1ba588a

                                                                                                                                    SHA512

                                                                                                                                    d4a6552137d6effee3a1c6bc3720e139c7dd24648aed4b7a86cf187089d020ca47c264a14017dee0cca4836117a8dbc92e786e3aaa5ac463c59cbedad0ae2b24

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                                                                                                                    Filesize

                                                                                                                                    315KB

                                                                                                                                    MD5

                                                                                                                                    6810610aab2e06fd74f814a4fea89525

                                                                                                                                    SHA1

                                                                                                                                    861f5f42f300bf0e66be147a9e27a455ba87fa6a

                                                                                                                                    SHA256

                                                                                                                                    ad5c396f91a25b752b17d5c8e93dfa78e4017ecb3cfd6d9d74e0a0b623eba65b

                                                                                                                                    SHA512

                                                                                                                                    8d883db8e41081378034288c2fb0cba8432d3b1b0ddc17443b048c306bfbb6575e305166e9b0cf64b112ca5ae5e0198023b600e205ae3986360bd6fccb92db73

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\5A42.exe
                                                                                                                                    Filesize

                                                                                                                                    473KB

                                                                                                                                    MD5

                                                                                                                                    0ed83b921910401b1fe81d739957d364

                                                                                                                                    SHA1

                                                                                                                                    283a4c1e65dbedd256c8b63d3329585573a26cca

                                                                                                                                    SHA256

                                                                                                                                    e1350146ba52f8c6bd479470229b7d1ed05caa7aa96c1bc1c6f3a0518c0e8b85

                                                                                                                                    SHA512

                                                                                                                                    17b8c12b33992673f2b93e631cc8b012e246028dd5f60491e386576a58f4c3d163d118c7526cb7b92f9c21732f73e36195527b4764d1289845063f6d745986ab

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6223.exe
                                                                                                                                    Filesize

                                                                                                                                    267KB

                                                                                                                                    MD5

                                                                                                                                    606c6c076880d30bbbb6be75c804f9a1

                                                                                                                                    SHA1

                                                                                                                                    bcb283b7772cac617d7571731ee29eafe5e38112

                                                                                                                                    SHA256

                                                                                                                                    d72a9e5225bbed902080d73dc0375f4ee5551490114c7ed6fe1902bd064f83c3

                                                                                                                                    SHA512

                                                                                                                                    62b5104d0388c7844e4db2c6638b2c642583817ed961648b095f859ac6c1d3a4789d1ff5306dc3e0a9b81e29eff2af3bff651e2b437a000dc4b9e7b5185275f1

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6889.exe
                                                                                                                                    Filesize

                                                                                                                                    815KB

                                                                                                                                    MD5

                                                                                                                                    edca9c145393402868e6bd58ae777337

                                                                                                                                    SHA1

                                                                                                                                    dcf876919eff339b9d808d245a6c7c19e9cf71a5

                                                                                                                                    SHA256

                                                                                                                                    3e15f8959ec0f8662a347727c256349f2a6ccdc0f80b54f1e515f0ef8b251620

                                                                                                                                    SHA512

                                                                                                                                    699441227c599329c436a2e91de199f1ad097f8329f5951bacd595a8879703f682c1b5c0b77631d8d52a46c4c85a90aee0e77356f418187edb70f2c5d2602c0e

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6889.exe
                                                                                                                                    Filesize

                                                                                                                                    1.8MB

                                                                                                                                    MD5

                                                                                                                                    ee52b5d9908bef6107aedb73afe396c2

                                                                                                                                    SHA1

                                                                                                                                    b881698c788ff456674ebcca636ff05faa52ea5e

                                                                                                                                    SHA256

                                                                                                                                    6858651f1eecdfc8f830c54e491a325e21c37aa3eb214e6e197fbbedfa4b66f3

                                                                                                                                    SHA512

                                                                                                                                    c48fae39096f0994efef651c3042a5aeb1ad460b700703b4814b9459ea291a08a196a4ec149b12e834db83fa63e3650d2a89e475ce764a45b8acff04a855f2f4

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6E56.exe
                                                                                                                                    Filesize

                                                                                                                                    417KB

                                                                                                                                    MD5

                                                                                                                                    711380809bfbf6ef9b66608902cbf812

                                                                                                                                    SHA1

                                                                                                                                    274fa17bbcdf53e57a870351c4169c98c42edea6

                                                                                                                                    SHA256

                                                                                                                                    0073071a8963f7405301885ee25651de95241d905d19187d2b71463e3773c795

                                                                                                                                    SHA512

                                                                                                                                    aff1f014cd4c4cc4b1431a20e1df1658c477ae638449a5b3289d3a69dbeef0f4611497fd78ffaa392df6a01c94ca7db51c2c74c61200578fcb3218ca9e41c4ac

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\6E56.exe
                                                                                                                                    Filesize

                                                                                                                                    628KB

                                                                                                                                    MD5

                                                                                                                                    b0956a777a128fcad83d128a218dbea5

                                                                                                                                    SHA1

                                                                                                                                    adf1f32bf55faa380ad4500eb797df3e7cfc7a3d

                                                                                                                                    SHA256

                                                                                                                                    1f83cbe8c889f748a217b566e6ee9ea7df6b1fd4bed057791cad5093e3846935

                                                                                                                                    SHA512

                                                                                                                                    d62236b56d5c1e56429948ead48c7e2c4c1da86768b2c2c517a611e75239fe193fe8e1d4df8fcd041518f8dd6208177a1835fd803c19b266b50ee51cd8e93ce9

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AA98.exe
                                                                                                                                    Filesize

                                                                                                                                    85KB

                                                                                                                                    MD5

                                                                                                                                    02ae8f82af4400b15deede8a675f1b8d

                                                                                                                                    SHA1

                                                                                                                                    30b2ad7d93dd7206765d4fba60ea0729cf85329e

                                                                                                                                    SHA256

                                                                                                                                    3c436ad4febe972713066024f8dab2c0efb337a6a6a1bb01a1baaadea43e1c74

                                                                                                                                    SHA512

                                                                                                                                    9d5052d94916c26dbde11ff750b92b5613057f85b531dc8a058a9430a38ed82c3e73df764102c63fafa8f4ec97f5f8f5c025c2bb29d2059b2d104605d1c27c7f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\AA98.exe
                                                                                                                                    Filesize

                                                                                                                                    112KB

                                                                                                                                    MD5

                                                                                                                                    3ec71589c5eace13bd123e5025639710

                                                                                                                                    SHA1

                                                                                                                                    9b4939eb89082f98d86ebb29b1de0fdb74f69b9f

                                                                                                                                    SHA256

                                                                                                                                    231c2ec5d3f4bd6b807223e288668a7687d1dbf3c68d75fa5849e77d6305f8bc

                                                                                                                                    SHA512

                                                                                                                                    5cce06443a7e3eaeefd381764cfb827ad9cd1d50759492100e20dc7b1992edfcef859455f2462d119cdde9cb163be4b2e015e2c3dcbcc3d67c4ecba25ed612f3

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                                                    Filesize

                                                                                                                                    57KB

                                                                                                                                    MD5

                                                                                                                                    23a779710c88f8118970dcd5ef0707e6

                                                                                                                                    SHA1

                                                                                                                                    918e9eca1fca8a498b486528416657e02f80e28c

                                                                                                                                    SHA256

                                                                                                                                    45b748ef3744fedffe94495dbdcbc0cb9f05790a886cc0b177501f8e679a5e2c

                                                                                                                                    SHA512

                                                                                                                                    1513b1b34c1f13080306b6bd0a6e2da0c053b4fed8fb6886a01438bdee438c7bddba3976fcd4aa49627e417cf67bfe9722d9353c4274660b355a3198169ea222

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                                                    Filesize

                                                                                                                                    159KB

                                                                                                                                    MD5

                                                                                                                                    60a7415a789d4c9fffe2b371f3b1777d

                                                                                                                                    SHA1

                                                                                                                                    ee73f261f60f76a17f7bfbdff9cf4f993476eaa7

                                                                                                                                    SHA256

                                                                                                                                    02a4d1a7f28b43bd4eb370b29d6789808e2ec0e8f1a368a312ebcd0f8f285940

                                                                                                                                    SHA512

                                                                                                                                    9758335d38007d0ae376ed8cde6db492f09d7dfcab3da7165dbcf6ba7f75955332c26da321ecb2c310b297bb62763d979257581847c5307ac717eaf1c2bca709

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                                                    Filesize

                                                                                                                                    9KB

                                                                                                                                    MD5

                                                                                                                                    1377a2f018696d2b7b0ac5c7761c7855

                                                                                                                                    SHA1

                                                                                                                                    cb6ea5ee72908009c7888e102504dddf3f4dd1f1

                                                                                                                                    SHA256

                                                                                                                                    aacc2ec950630481dee56a75daad7d50affb83ff518b1f1a3f500e2dfda4f3d1

                                                                                                                                    SHA512

                                                                                                                                    7302d0b338cde4422354ad8e16eeb6c5851a210c62a42a0020ff6efe0ab48229fe53e8239f4e7ecf26fde987319e619275d4a65e221d493264bb4c96555da7ab

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                                                    Filesize

                                                                                                                                    236KB

                                                                                                                                    MD5

                                                                                                                                    5fe1545369ea440950bfb4c7a4ba42e9

                                                                                                                                    SHA1

                                                                                                                                    2c71331dfc01a78f3c470cd45c344352711481ac

                                                                                                                                    SHA256

                                                                                                                                    15bcd77722c9826113de6eaa39bd81b424049a8777e9012999059802083b55da

                                                                                                                                    SHA512

                                                                                                                                    7c9536077d5fdc1bed1112ca7946dec0f236f7165dd8f829a86a8d567a24b4e1a19466ff824023409e456eb246489d75dbfd73883ae25854b27ed0bcc58e0f5a

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\B96E.exe
                                                                                                                                    Filesize

                                                                                                                                    61KB

                                                                                                                                    MD5

                                                                                                                                    cafc4522956c8ace527dd8d124e79c41

                                                                                                                                    SHA1

                                                                                                                                    370897f86f739dfad98aa96a80de0530dd8acbe9

                                                                                                                                    SHA256

                                                                                                                                    58ce316571d652562577efe4478dbc0f8b4ffe03e5e493c45762eb2ec3a638b6

                                                                                                                                    SHA512

                                                                                                                                    2e98e74737a3a51c0de6c695ea9c16010c2cab7d95c5538bb343f3e162141d877fd353e3efe33f095e531b8cc2e2ee540a1c9b32ed1ae216221881c9b9068e92

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                                                                                                                                    Filesize

                                                                                                                                    323KB

                                                                                                                                    MD5

                                                                                                                                    63379f4a75555d58b61b8024713ddfe6

                                                                                                                                    SHA1

                                                                                                                                    02dcd8751d57a9e755bcef60124e4f249b6e03c2

                                                                                                                                    SHA256

                                                                                                                                    21f1369496b34d25e190d23c1f6a1e7dc9e7e4e6f550f47f01954abf4f1ac135

                                                                                                                                    SHA512

                                                                                                                                    323802974aca709bf36d47526edd6f78c9ebac8c043fad997494e0f6edfc09d6f5669276f3aa7492068727a681713691370da20e6eb41de18bb46f835bffdf4f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\F83A.exe
                                                                                                                                    Filesize

                                                                                                                                    1005KB

                                                                                                                                    MD5

                                                                                                                                    4b1132a820fd101eb0614ce95cad80a6

                                                                                                                                    SHA1

                                                                                                                                    1579e6402342cc2ebf8b3b723fede594a6e87eff

                                                                                                                                    SHA256

                                                                                                                                    cf55477062a1b1377467111d9c75aaada32be9eb20ec2cb9401bc9f44c466193

                                                                                                                                    SHA512

                                                                                                                                    74a5b50e49fe2ee7765291c07389f91f3a5014f85dc8afce5527c7bcbf5fff01660f3b3bd09304f98b76e6d899028cf43b7acd6a732bcf132b50e8b55b158945

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\F83A.exe
                                                                                                                                    Filesize

                                                                                                                                    988KB

                                                                                                                                    MD5

                                                                                                                                    4518f531acddaada6ecfdca692188963

                                                                                                                                    SHA1

                                                                                                                                    060b96600280ef756e8ca42a7d7e6a3659cbdfde

                                                                                                                                    SHA256

                                                                                                                                    b7b8a22f29257805de0f5365171ef805c4b567eda5e3fad5783d1a8b623783ea

                                                                                                                                    SHA512

                                                                                                                                    17d40472a106ef78d92cc6a65a917c8fff30657ebc4f9d0e2d9547aab68e13da65aa84cf3ebcb64cd29e4354ff147d8e06483e3555d9b2c03808b53c8c8ac0c2

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
                                                                                                                                    Filesize

                                                                                                                                    434KB

                                                                                                                                    MD5

                                                                                                                                    e088608214b5519f46b99058d4458652

                                                                                                                                    SHA1

                                                                                                                                    0ccddc4f1bc47fb57ed20ae8f3c105fd9d1b756a

                                                                                                                                    SHA256

                                                                                                                                    d67e864522172f532e3e3ccd72de725370c1bd6e5086c8bc9bf95816a38856e4

                                                                                                                                    SHA512

                                                                                                                                    0f54de19615360b738567a690daea1935166e7a44ed01989fd2dbd0be4656bb788d18d6e2ec722c74ec411a0386f590935f7eaf45a698b519338af18c92191f9

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
                                                                                                                                    Filesize

                                                                                                                                    368KB

                                                                                                                                    MD5

                                                                                                                                    284bfae05654b8c8599682b2e41d1542

                                                                                                                                    SHA1

                                                                                                                                    2d86d1558b178a14ea03df146d8be590955fe7a2

                                                                                                                                    SHA256

                                                                                                                                    12362f8e842c1f3140724c0608915d5a4829e606ef18e580f4ae3fb017e62228

                                                                                                                                    SHA512

                                                                                                                                    21613cfb38d2f51b0189fcb5374c3c8135b2480866ade02dad61367e223459cfc1017a76bfd6e881fc1297f1b489387dff240fb39d4ef8c8e5a524255b93b454

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
                                                                                                                                    Filesize

                                                                                                                                    402KB

                                                                                                                                    MD5

                                                                                                                                    db779a5c5d98cdb44d7303a7ff8ee78f

                                                                                                                                    SHA1

                                                                                                                                    461790fabab2c11cebea451b2ec7d03179e2e8da

                                                                                                                                    SHA256

                                                                                                                                    4a316ccd697f74bd58b48673573758d8d839db0f3f2d571032e675c6a0ee0776

                                                                                                                                    SHA512

                                                                                                                                    63ee4161f9e149a0103821342a61b4118e817afa99664aac7b601fd1cada098cbf7ce1b0438683d8cedd2469793ad4a3128b4ee6af41e42542b6302e8f3ca491

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20cmpqpb.cya.ps1
                                                                                                                                    Filesize

                                                                                                                                    60B

                                                                                                                                    MD5

                                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                    SHA1

                                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                    SHA256

                                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                    SHA512

                                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                                                                                                                    Filesize

                                                                                                                                    99KB

                                                                                                                                    MD5

                                                                                                                                    09031a062610d77d685c9934318b4170

                                                                                                                                    SHA1

                                                                                                                                    880f744184e7774f3d14c1bb857e21cc7fe89a6d

                                                                                                                                    SHA256

                                                                                                                                    778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

                                                                                                                                    SHA512

                                                                                                                                    9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                    Filesize

                                                                                                                                    131KB

                                                                                                                                    MD5

                                                                                                                                    1a52c0ba0c3efe813aa0cfa0a2d35a1b

                                                                                                                                    SHA1

                                                                                                                                    ce887cc8a44623cd291d5019596f35452946c2cd

                                                                                                                                    SHA256

                                                                                                                                    923ee0062d93efe4710dfef5e1ae382314b0694ce01c27dfcf811664f8618641

                                                                                                                                    SHA512

                                                                                                                                    2cc8c6a3cd1131d8d190f1e0b98152c717272efe6818c0c53aa884332bbf38ddc6b469424c90c8eed23be7db272802646dbd3e2202a84d32bb8dc68533d28163

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                    Filesize

                                                                                                                                    130KB

                                                                                                                                    MD5

                                                                                                                                    770ed3b461dc87d694fe0c72e0c37432

                                                                                                                                    SHA1

                                                                                                                                    526e26ecf77b91676d6361b1f9300f634fac70c5

                                                                                                                                    SHA256

                                                                                                                                    ca25e3a3a1105b876a207872c7ccc8799c10ecb6bb58060b8a3c9534fa566b09

                                                                                                                                    SHA512

                                                                                                                                    42ced199ec9fb43044f0b381b61dc6a85452186c4f5095478781faeaa7a201c3d3b36da150fe75d5450f160ebc4e542432fa30cc38e2d3b1d12b021eec79d558

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                    Filesize

                                                                                                                                    281KB

                                                                                                                                    MD5

                                                                                                                                    d98e33b66343e7c96158444127a117f6

                                                                                                                                    SHA1

                                                                                                                                    bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                                                                                                    SHA256

                                                                                                                                    5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                                                                                                    SHA512

                                                                                                                                    705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                                                                    Filesize

                                                                                                                                    119KB

                                                                                                                                    MD5

                                                                                                                                    ebed1916befe713fd7e696ccc12a7c31

                                                                                                                                    SHA1

                                                                                                                                    9c9c9ffd2714ab7c15f87e836de70969623a4a29

                                                                                                                                    SHA256

                                                                                                                                    9886a8abe2b6e920983815f699c74c9aaa0e482a7948a2fb6a3d76c61b8b0dff

                                                                                                                                    SHA512

                                                                                                                                    f03ffbc4f1516b71ec910fc6b70a36566f77c59f08d8b784aed479fa987ad0c89ade9cfd710fde4db62291e1f37e6b7e0f188c6e164a2473263ac73b610c9412

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\fi.exe
                                                                                                                                    Filesize

                                                                                                                                    1.6MB

                                                                                                                                    MD5

                                                                                                                                    8d0d08efc697c6568cd47c2538293677

                                                                                                                                    SHA1

                                                                                                                                    d66a0dbcdce4d1ba8c403c7a29033841cf4ed2ec

                                                                                                                                    SHA256

                                                                                                                                    16949f75c6aeffee4c1e0d4233b7c495c182d3631e58ecd2a913f5032cb947f0

                                                                                                                                    SHA512

                                                                                                                                    1fe7d05b90f6f764cdbcb0e782cea02519b40fc6d2c782f295483ff2dadcdae759b46654ae5aab06a9b2c3a8ad1968e30998cd773596a4ef407bd78be20f2907

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\fi.exe
                                                                                                                                    Filesize

                                                                                                                                    1.8MB

                                                                                                                                    MD5

                                                                                                                                    b8d85f4bd45aa8b9c2a64606f803cb50

                                                                                                                                    SHA1

                                                                                                                                    2e8a5b5abea5491053444d7b58aa96ea088b87ba

                                                                                                                                    SHA256

                                                                                                                                    f07298b4c5d16785123521d129475d03f23e770e237167e9baf5316341ccb0cd

                                                                                                                                    SHA512

                                                                                                                                    f119442bf6f04ed04b5474f86b1966e1d69248e40be7fdcffad29d497c66fd4d23c21071863f61cd7c9a6ba4d540daae12ae6a1743e784d4a74bbf098ed981e0

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\fi.exe
                                                                                                                                    Filesize

                                                                                                                                    2.1MB

                                                                                                                                    MD5

                                                                                                                                    c8075240618f62e3e2aa99571b8f9a70

                                                                                                                                    SHA1

                                                                                                                                    78cccfa04dbb1c618acfa3c3cce3f24e73137ba6

                                                                                                                                    SHA256

                                                                                                                                    de854b5d5e2fdda3243368bb05a2f9b7e7afa2a4c3a6c8cfbe0d54c5cae483a7

                                                                                                                                    SHA512

                                                                                                                                    5cfbc644aa0ae68f617c595f417ddf6b43f1d0ec77b40063ddfbfa1d8a5b4936b822ff5aebb21b06aaa17fb6c62a523b6de31523d0c20b00e3cf15d6f9654b3b

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp\INetC.dll
                                                                                                                                    Filesize

                                                                                                                                    25KB

                                                                                                                                    MD5

                                                                                                                                    40d7eca32b2f4d29db98715dd45bfac5

                                                                                                                                    SHA1

                                                                                                                                    124df3f617f562e46095776454e1c0c7bb791cc7

                                                                                                                                    SHA256

                                                                                                                                    85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                                                                                                                                    SHA512

                                                                                                                                    5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nss4E12.tmp
                                                                                                                                    Filesize

                                                                                                                                    309KB

                                                                                                                                    MD5

                                                                                                                                    ef4a8e41049d2ff1066fe3e63e979112

                                                                                                                                    SHA1

                                                                                                                                    3fc3bd7d2a1c203b2e6d2f18fd4c818890f25267

                                                                                                                                    SHA256

                                                                                                                                    3cd17325c85733b03eff89668f01226cade7c7c6c21c5a2d3dd2c6b46a0d179c

                                                                                                                                    SHA512

                                                                                                                                    030fa7ae9b34bbfc6f0e5c5cae9f36ab482de2d0db72e2bdd643669a9b822b74ed9a64bfa6ff10b5ff870eb148a1a9f79e28bfa6252ac6d93cb4f917d08cd7b2

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nss4E12.tmp
                                                                                                                                    Filesize

                                                                                                                                    26KB

                                                                                                                                    MD5

                                                                                                                                    551145c34e8fac59d04b5457efe1e735

                                                                                                                                    SHA1

                                                                                                                                    8d32d51dbae05dad76c00d7d4a09fa4ae25d360f

                                                                                                                                    SHA256

                                                                                                                                    90289ba44ab891f011a095b470a23a51208f6b985b0be8de1137b2d36cbd509c

                                                                                                                                    SHA512

                                                                                                                                    a4517798115ff4004fa02cdf8a5d0157d9f94fbcf0fb618bcea5f9b690b4f149bc33edebea9702dedf12107d5fddb3f3dbcc612f71f17ff9f377f8f8dcfa00dc

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                                                                                                                                    Filesize

                                                                                                                                    288KB

                                                                                                                                    MD5

                                                                                                                                    da4a1ebda693a57194b27d66ed8a0fa7

                                                                                                                                    SHA1

                                                                                                                                    2e2a7295c6ccd90c28c8f7e8b773bd599b097208

                                                                                                                                    SHA256

                                                                                                                                    6fd2a8c9a14139da14d5bffd3304fdb69d156a1ab40bf54357ee8838180af2e9

                                                                                                                                    SHA512

                                                                                                                                    b4b0db967661486475ffc4fca01316c8d8ab58bc02571cf07a5f89f9cbfd1ea0dd46b7e0b51de8f3b088ed1145b3534e6055a7d74fb034d5792c337c04aebc3f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                                                                                                                                    Filesize

                                                                                                                                    316KB

                                                                                                                                    MD5

                                                                                                                                    96ec7e1af8c9b8f9c2a486ec599c5632

                                                                                                                                    SHA1

                                                                                                                                    560cda225e58b56e956e65a996f45078012b259a

                                                                                                                                    SHA256

                                                                                                                                    6f3d40e991b2613c8b23f19cf9bf1c5c4bd53888d2817ec455f53d78b8924258

                                                                                                                                    SHA512

                                                                                                                                    dff020d8359d957a0f0314cb356e7127cdc6826710fbc94e20ced9c14934045fb34f7ec7f451e2b2c352337dc2e6f501d2a8f71845957a2f6067ab40d8e2eaab

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\rty25.exe
                                                                                                                                    Filesize

                                                                                                                                    343KB

                                                                                                                                    MD5

                                                                                                                                    a403c766fa6db9a2e51f2663d2ede458

                                                                                                                                    SHA1

                                                                                                                                    a43925c6d50415b61b6082be1e4125f0dbe7217e

                                                                                                                                    SHA256

                                                                                                                                    670fd7978192fbd56376307d1952872a7215d88d6b0843d609fe0c0441c771d4

                                                                                                                                    SHA512

                                                                                                                                    2b63c50cdfb6d2dd8bd13f733c315cdc68e6e29337a3884ddcb3c4329b24ee45a3e8135d4ca541de648ae5134cd71c37da0b2e1493f3d1ac346557fb3d48f4bb

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
                                                                                                                                    Filesize

                                                                                                                                    332KB

                                                                                                                                    MD5

                                                                                                                                    a1470335c14e84fd1f158878a5776ae1

                                                                                                                                    SHA1

                                                                                                                                    98ff4297b83233ce26c0a116abe76312af645398

                                                                                                                                    SHA256

                                                                                                                                    8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5

                                                                                                                                    SHA512

                                                                                                                                    cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
                                                                                                                                    Filesize

                                                                                                                                    128B

                                                                                                                                    MD5

                                                                                                                                    11bb3db51f701d4e42d3287f71a6a43e

                                                                                                                                    SHA1

                                                                                                                                    63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                                                                                                                                    SHA256

                                                                                                                                    6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                                                                                                                                    SHA512

                                                                                                                                    907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                    Filesize

                                                                                                                                    2KB

                                                                                                                                    MD5

                                                                                                                                    3d086a433708053f9bf9523e1d87a4e8

                                                                                                                                    SHA1

                                                                                                                                    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                                                                                                    SHA256

                                                                                                                                    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                                                                                                    SHA512

                                                                                                                                    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    59c5c833b5ae786b0354b92a7250915b

                                                                                                                                    SHA1

                                                                                                                                    a6fa5c20ef1b5287c2d3ced8970cd52a39a29d62

                                                                                                                                    SHA256

                                                                                                                                    3eea0f74e668307ecfd8beb5561fd8b857e57b11867cd14654993c59615aa7ec

                                                                                                                                    SHA512

                                                                                                                                    7acf1dbd35a736421716daf3c3a549e47d07830847a84f1d4c8ee8c7eb0beb40c54e3ad7d95dcbfadcf81f3e6a6d5ba001d90da7aae70f044c5414018a7587e6

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    d7c4a04e2f22892edc279a6f3bab8549

                                                                                                                                    SHA1

                                                                                                                                    d37c2af4e2ca6e7b54bf357100a2a82cc5b4584c

                                                                                                                                    SHA256

                                                                                                                                    a68d78d42d5c7fbc1912bd7bb243244385a55785ef72f4f5af1d4b469f7de5d0

                                                                                                                                    SHA512

                                                                                                                                    bec266678aed8ae1e852f24ea2b2069c2928475159cdae190995955fc7f91e2d002d89ef5403b4fb8c208bb414b8943d08393ae242d30f43bb020bbb9a7753a8

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    1ca73094526a20a5d5df6960ce9e21bc

                                                                                                                                    SHA1

                                                                                                                                    60c70cebed9efde51263e2a74db062b8bab012f2

                                                                                                                                    SHA256

                                                                                                                                    e5b60661a1394c51ff6292fdac479088cea71a1dd740b603da8630163827eac4

                                                                                                                                    SHA512

                                                                                                                                    e95455726c07ab2430135534fb2de0829cecd57a065206377e755d546966ef499225f2465dcee3ea5c78683d76455618f3553f583cbc898972612b6bc08325a1

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    874f342969bb494a1177a1dc17f05d8c

                                                                                                                                    SHA1

                                                                                                                                    c0ba3efbf281c31649054ec12ad19d35812d7729

                                                                                                                                    SHA256

                                                                                                                                    5f71caae460a18fafdeb438da02c935e32acc652574bebe2b305f5af83b6a7b5

                                                                                                                                    SHA512

                                                                                                                                    39f08f8c66bc3f1486a00db1a2a7dc52767d2b5e700396e593b98ee312ff0e6d14cc49f139e3295850e77328bf612aab7a5c691d9aa2d28ec36fed333c12dbd1

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                    Filesize

                                                                                                                                    19KB

                                                                                                                                    MD5

                                                                                                                                    3795c3ad8f8afe71352193e883efb2cf

                                                                                                                                    SHA1

                                                                                                                                    875de2d58eccff4c0c30ffa9150c18b1e52b455e

                                                                                                                                    SHA256

                                                                                                                                    63bedbbb4e6b3692e88d211e3d620c6be2a1fabe3d715f0bf7fd56f1174008fb

                                                                                                                                    SHA512

                                                                                                                                    11f0cca26c544bfcbfcf89dfcd0e738cbad008ff23c2107a66f2155bfeb044437388c9680137cf9dae33eb1771978addd85a63535b6899f8732eff41bf43f91c

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\rss\csrss.exe
                                                                                                                                    Filesize

                                                                                                                                    85KB

                                                                                                                                    MD5

                                                                                                                                    32a4c390841ea126e415d03264aaebba

                                                                                                                                    SHA1

                                                                                                                                    c359575af16c6254aa707c3234f96e419277baac

                                                                                                                                    SHA256

                                                                                                                                    537c3598a34f9c9472cd378e41e5d2373a4b85af53eb2b2756f0aa50f0a91b57

                                                                                                                                    SHA512

                                                                                                                                    bac6153db9fd314ca53bcf996182030bd8b056cd47fafa59d5b46f396cf2292f4307d79cba9f752c670408950c957f136fa5ec27475a1bb46d64c6d2254bd226

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\rss\csrss.exe
                                                                                                                                    Filesize

                                                                                                                                    176KB

                                                                                                                                    MD5

                                                                                                                                    12661e4b26737ecf869b6b9245695427

                                                                                                                                    SHA1

                                                                                                                                    6560bc371901a3d2d0cc3a9a8602ca15e55a0ab2

                                                                                                                                    SHA256

                                                                                                                                    71d9bccf3668b91f1862fa62eaf3b66d86e64db4880443d2a469ca5c38ec7278

                                                                                                                                    SHA512

                                                                                                                                    3467d6750d8f030e610c0b7f68a0815cc4ac479aded6a3010bc399c810492f0910923f9db281daedc39715bacc9ee5ebab74a0919b0662211d00dff56ac73e3f

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\windefender.exe
                                                                                                                                    Filesize

                                                                                                                                    234KB

                                                                                                                                    MD5

                                                                                                                                    6917a96908d68f25008db45ee151d4ec

                                                                                                                                    SHA1

                                                                                                                                    ea6a5a72d927c937061e23c6ab4c006390fbb425

                                                                                                                                    SHA256

                                                                                                                                    264c5ba7ec31d7048b7b8b3932d7acd9fc25ac6d257dd51f7f0ee5d852adcfe0

                                                                                                                                    SHA512

                                                                                                                                    13db4f54f5a4ccfe8efd940e2f4303ba4fd362c802676e78da4e5a455636f25e100224b18895c4b4fa0f4128ef4efe9625136c3b4cca6f17c3943ad28ef0146c

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\windefender.exe
                                                                                                                                    Filesize

                                                                                                                                    97KB

                                                                                                                                    MD5

                                                                                                                                    180ec7b8f2733b4d60e53ae947cdf474

                                                                                                                                    SHA1

                                                                                                                                    0727f6a362a03b41c567f1ee684470a5f8a03f53

                                                                                                                                    SHA256

                                                                                                                                    609177eead31710dc20dd516efa3fab12bf2fee9ffe539e497cd945204d45cfc

                                                                                                                                    SHA512

                                                                                                                                    5b36e7858bdecb7b244dad1246637133c4342f1283176ddda727459d712d8d0380edc0675cbf4f257e6fad46032818873ab81e64aaf13affa084cbdcf9ebd169

                                                                                                                                    Download Submit

                                                                                                                                  • C:\Windows\windefender.exe
                                                                                                                                    Filesize

                                                                                                                                    149KB

                                                                                                                                    MD5

                                                                                                                                    aa6d2adc149a6c908162b7b5617427b2

                                                                                                                                    SHA1

                                                                                                                                    b4ab05f7235fcc09445ffefc3da5d34fd2fc513a

                                                                                                                                    SHA256

                                                                                                                                    d7be2c3f8dc16b4f6402c12b2e06110002c6d61944996f0ce09040a36f61f381

                                                                                                                                    SHA512

                                                                                                                                    4ed40c0ea4e5d9a978e5df7238ca892586fd8c1b312e7a691c543bc1a2659ae1c0e621a50b8ae2d0b5e6f8b6e12bb06cc1811fa91a1a6292367e1353629e0168

                                                                                                                                    Download Submit

                                                                                                                                  • memory/432-54-0x0000000074840000-0x0000000074FF0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/432-0-0x0000000074840000-0x0000000074FF0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/432-1-0x0000000000A50000-0x00000000011A4000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-162-0x00000000011A0000-0x00000000015A2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-141-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-137-0x0000000002E50000-0x000000000373B000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-56-0x00000000011A0000-0x00000000015A2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/828-53-0x0000000002E50000-0x000000000373B000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    8.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/832-468-0x0000000000400000-0x0000000000456000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    344KB

                                                                                                                                    Download

                                                                                                                                  • memory/1636-34-0x0000000000570000-0x0000000000670000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1024KB

                                                                                                                                    Download

                                                                                                                                  • memory/1636-41-0x0000000000540000-0x000000000054B000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    44KB

                                                                                                                                    Download

                                                                                                                                  • memory/1636-129-0x0000000000400000-0x000000000045C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    368KB

                                                                                                                                    Download

                                                                                                                                  • memory/1636-46-0x0000000000400000-0x000000000045C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    368KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-207-0x0000000004D60000-0x0000000004D70000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-196-0x0000000070E90000-0x00000000711E4000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    3.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-208-0x00000000073A0000-0x0000000007443000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    652KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-213-0x0000000007670000-0x0000000007681000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    68KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-214-0x00000000076C0000-0x00000000076D4000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    80KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-217-0x0000000073760000-0x0000000073F10000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-209-0x0000000004D60000-0x0000000004D70000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-197-0x000000007EF20000-0x000000007EF30000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-195-0x00000000720A0000-0x00000000720EC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    304KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-193-0x00000000066B0000-0x00000000066FC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    304KB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-173-0x0000000073760000-0x0000000073F10000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/1672-176-0x0000000004D60000-0x0000000004D70000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/1788-57-0x00007FF7C7770000-0x00007FF7C7827000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    732KB

                                                                                                                                    Download

                                                                                                                                  • memory/1872-462-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/1872-460-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/1872-464-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/1872-481-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/2468-454-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/2504-225-0x0000000073760000-0x0000000073F10000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/2692-505-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/2692-499-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/2692-485-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/2692-438-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/3184-496-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/3184-507-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/3520-467-0x0000000002A40000-0x0000000002A56000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    88KB

                                                                                                                                    Download

                                                                                                                                  • memory/3520-127-0x00000000023D0000-0x00000000023E6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    88KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-102-0x0000000007DA0000-0x0000000007E16000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    472KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-118-0x0000000007FA0000-0x0000000007FBE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-125-0x0000000008210000-0x000000000822A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    104KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-123-0x0000000008110000-0x000000000811E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    56KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-126-0x0000000008160000-0x0000000008168000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    32KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-124-0x0000000008120000-0x0000000008134000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    80KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-105-0x000000007FDB0000-0x000000007FDC0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-86-0x0000000005B10000-0x0000000005B32000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    136KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-122-0x00000000080D0000-0x00000000080E1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    68KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-84-0x0000000003490000-0x00000000034A0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-121-0x0000000008170000-0x0000000008206000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    600KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-106-0x0000000007F60000-0x0000000007F92000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    200KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-133-0x0000000073760000-0x0000000073F10000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-108-0x0000000070E90000-0x00000000711E4000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    3.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-98-0x0000000006520000-0x0000000006874000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    3.3MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-99-0x00000000069E0000-0x00000000069FE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-100-0x0000000006F60000-0x0000000006FAC000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    304KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-101-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    272KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-120-0x00000000080B0000-0x00000000080BA000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    40KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-88-0x00000000063B0000-0x0000000006416000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    408KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-83-0x0000000003490000-0x00000000034A0000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-82-0x0000000073760000-0x0000000073F10000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    7.7MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-85-0x0000000005BB0000-0x00000000061D8000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-81-0x0000000003400000-0x0000000003436000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    216KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-119-0x0000000007FC0000-0x0000000008063000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    652KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-87-0x0000000006290000-0x00000000062F6000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    408KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-107-0x0000000073F40000-0x0000000073F8C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    304KB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-103-0x00000000084A0000-0x0000000008B1A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    6.5MB

                                                                                                                                    Download

                                                                                                                                  • memory/4244-104-0x0000000007D20000-0x0000000007D3A000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    104KB

                                                                                                                                    Download

                                                                                                                                  • memory/4412-382-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/4412-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    9.1MB

                                                                                                                                    Download

                                                                                                                                  • memory/4412-136-0x0000000001090000-0x0000000001494000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.0MB

                                                                                                                                    Download

                                                                                                                                  • memory/4500-489-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4500-490-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4500-492-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-418-0x0000000000400000-0x000000000062E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-194-0x0000000000780000-0x0000000000880000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1024KB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-310-0x0000000000400000-0x000000000062E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-177-0x0000000000400000-0x000000000062E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-139-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    972KB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-73-0x0000000002240000-0x000000000225C000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    112KB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-74-0x0000000000400000-0x000000000062E000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    2.2MB

                                                                                                                                    Download

                                                                                                                                  • memory/4624-72-0x0000000000780000-0x0000000000880000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    1024KB

                                                                                                                                    Download

                                                                                                                                  • memory/4840-254-0x0000000000400000-0x00000000008E2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4.9MB

                                                                                                                                    Download

                                                                                                                                  • memory/4840-175-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    Download

                                                                                                                                  • memory/4840-58-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    Download